March 31, 2021 FN47
Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform [CVE-2021-28123]
Problem Description
Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform version 6.3 prior 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. The ssh key can provide an attacker access to the linux system in the affected version.
Impact
The vulnerability provides an attacker access to the Cohesity DataPlatform cluster Linux interface at super user privilege.
CVSS Base Score : 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Resolution
To remediate the vulnerability, Cohesity recommends upgrading the cluster to 6.3.1g, 6.5.1c. If running 6.4.1c contact support for patch. Customers currently on release 6.5.1c or above, 6.6 or later are not vulnerable to this issue and can disregard this advisory.
Additional Information:
The vulnerability can be mitigated by restricting the ssh to trusted hosts only using the host firewall feature supported on the Cohesity DataPlatform.
Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support. email: support@cohesity.com
Vulnerability Type
Incorrect Access Control
Vendor of Product
Cohesity, Inc
Affected Product Code Base
Cohesity DataPlatform - Affected versions are Cohesity DataPlatform versions 6.3 prior to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b.
Affected Component
SSH Access
Attack Type
Remote
Impact Information Disclosure
True
Attack Vectors
To exploit the vulnerability attacker needs network access to cluster
Has vendor confirmed or acknowledged the vulnerability?
True
Discoverer
Cohesity acknowledges the efforts of Karlsruhe Institute of Technology researchers Thorsten Tuellmann and Heiko Reese who identified the vulnerability and participated in its responsible disclosure.