Dell EMC SupportAssist Enterprise (Server, Storage, Networking) - Undocumented Default Account Vulnerability

CVE Identifier: CVE-2018-1214

Severity: Critical (in specific limited configurations, see note below)

Affected products: Dell EMC SupportAssist Enterprise 1.1 and upgrade to 1.2 (Windows OS Management Station versions only)

Summary:

Dell EMC SupportAssist Enterprise 1.2.1 contains fixes for an undocumented default account vulnerability that could potentially be exploited by unauthorized users to compromise the affected system.

Details:

SupportAssist Enterprise version 1.1 creates a local windows user account named "OMEAdapterUser" with a default password as part of the installation process. This unnecessary user account also remains even after upgrade from v1.1 to v1.2.  Access to the management console can be achieved by someone with knowledge of the default password. 

If SupportAssist Enterprise is installed on a server running OpenManage Essentials (OME), the OmeAdapterUser user account is added as a member of the OmeAdministrators group for the OME. An unauthorized person with knowledge of the default password and access to the OME web console could potentially use this account to gain access to the affected installation of OME with OmeAdministrators privileges. 

Note: The (critical) severity level is based on configurations where SupportAssist Enterprise is installed on a server running OME with fee-based Server Configuration Management feature enabled. Dell EMC recommends that customers take into account any deployment factors that may be relevant to their environment to assess their overall risk.

Note: Linux versions of SupportAssist Enterprise v1.1 and upgrade to v1.2 are not affected by this issue.

Note: The issue did not impact any other enterprise or end user version of SupportAssist.

Resolution:

The following Dell EMC SupportAssist Enterprise release contains resolutions to these vulnerabilities:

• Dell EMC SupportAssist Enterprise version 1.2.1

Dell EMC recommends all customers upgrade to v1.2.1 immediately.

Workaround:

OmeAdapterUser user account can be deleted manually. Deleting this user account does not affect the functionality of SupportAssist Enterprise or OpenManage Essentials.

Link to remedies:

Customers can download software from the Dell EMC SupportAssist Enterprise Version 1.2.1 Windows Management Server page.

Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.