Product Vendor

Tegile Systems/Western Digital

Product Description

Tegile IntelliFlash is an enterprise storage solution, encompassing flash and hybrid arrays designed to deliver performance and economics for a wide range of workloads. The official website is https://www.westerndigital.com.

Affected Version(s)

Tested on Tegile IntelliFlash OS version 3.7.08.180413(GA)

Vulnerability Details

The Tegile IntelliFlash OS was affected by a password disclosure vulnerability. The web interface stored passwords in cleartext. By inspecting the source code of the web interface, an attacker could retrieve passwords.

Vulnerability List 

One vulnerability was identified within the Tegile IntelliFlash application:

  • Password Disclosure 

This vulnerability is described in the following sections.

Impact

An attacker could view passwords – including those necessary for servers, virtual platforms, and protocols – upon successful exploitation of this vulnerability. 

Vulnerability Details

CVE ID: CVE-2019-6464

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-200

CVSS Base Score: 4.9

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Password Disclosure

By inspecting the source code, an authenticated user could retrieve the cleartext passwords for SMTP, SNMP, VMWare, and Windows servers, as shown in the figure below:

Using the same technique, a malicious user could view the password in other fields.

The figure below shows the password for the VMWare vCenter server:

To exploit this vulnerability, the attacker must be an authenticated user.

Solution

TBD – as of this publication, none exists.

Disclosure Timeline

• 12/12/2018: Initial discovery
• 01/16/2019: First contact with vendor
• 05/14/2019: Vulnerability publicly disclosed

Researcher

Thiago Campos, Senior Security Analyst