CVE Identifier: CVE-2018-1214
Severity: Critical (in specific limited configurations, see note below)
Affected products: Dell EMC SupportAssist Enterprise 1.1 and upgrade to 1.2 (Windows OS Management Station versions only)
Dell EMC SupportAssist Enterprise 1.2.1 contains fixes for an undocumented default account vulnerability that could potentially be exploited by unauthorized users to compromise the affected system.
SupportAssist Enterprise version 1.1 creates a local windows user account named "OMEAdapterUser" with a default password as part of the installation process. This unnecessary user account also remains even after upgrade from v1.1 to v1.2. Access to the management console can be achieved by someone with knowledge of the default password.
If SupportAssist Enterprise is installed on a server running OpenManage Essentials (OME), the OmeAdapterUser user account is added as a member of the OmeAdministrators group for the OME. An unauthorized person with knowledge of the default password and access to the OME web console could potentially use this account to gain access to the affected installation of OME with OmeAdministrators privileges.
The following Dell EMC SupportAssist Enterprise release contains resolutions to these vulnerabilities:
OmeAdapterUser user account can be deleted manually. Deleting this user account does not affect the functionality of SupportAssist Enterprise or OpenManage Essentials.
Link to remedies:
Customers can download software from the Dell EMC SupportAssist Enterprise Version 1.2.1 Windows Management Server page.
Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Article ID: SLN308843
Last Date Modified: 05/04/2018 02:25 PM