------------------------------------------------------------------------ Command injection vulnerability in EMC Secure Remote Services Virtual Edition ------------------------------------------------------------------------ Han Sahin, November 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A command injection vulnerability was found in EMC Secure Remote Services Virtual Edition (ESRS VE) that allows an attacker to execute arbitrary system commands and take full control over ESRS VE. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ EMC reports that the following versions are affected by this vulnerability: - EMC Secure Remote Services Virtual Edition 3.02 - EMC Secure Remote Services Virtual Edition 3.03 ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - CVE-2015-0525 - ESA-2015-040: EMC Secure Remote Services Virtual Edition Security Update for Multiple Vulnerabilities ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ EMC released EMC Secure Remote Services Virtual Edition 3.04 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at: EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20141112/command_injection_vulnerability_in_emc_secure_remote_services_virtual_edition.html
