Tegile Systems/Western Digital
Tegile IntelliFlash is an enterprise storage solution, encompassing flash and hybrid arrays designed to deliver performance and economics for a wide range of workloads. The official website is https://www.westerndigital.com.
Tested on Tegile IntelliFlash OS version 3.7.08.180413(GA)
The Tegile IntelliFlash OS was affected by a password disclosure vulnerability. The web interface stored passwords in cleartext. By inspecting the source code of the web interface, an attacker could retrieve passwords.
One vulnerability was identified within the Tegile IntelliFlash application:
An attacker could view passwords - including those necessary for servers, virtual platforms, and protocols - upon successful exploitation of this vulnerability.
CVE ID: CVE-2019-6464
Access Vector: Remote
Security Risk: Medium
Vulnerability: CWE-200
CVSS Base Score: 4.9
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
By inspecting the source code, an authenticated user could retrieve the cleartext passwords for SMTP, SNMP, VMWare, and Windows servers, as shown in the figure below:
Using the same technique, a malicious user could view the password in other fields.
The figure below shows the password for the VMWare vCenter server:
To exploit this vulnerability, the attacker must be an authenticated user.
TBD - as of this publication, none exists.
• 12/12/2018: Initial discovery
• 01/16/2019: First contact with vendor
• 05/14/2019: Vulnerability publicly disclosed
Thiago Campos, Senior Security Analyst at Bishop Fox