Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

March 31, 2021 FN47

Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform [CVE-2021-28123]

Problem Description

Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform version 6.3 prior 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. The ssh key can provide an attacker access to the linux system in the affected version.

Impact

The vulnerability provides an attacker access to the Cohesity DataPlatform cluster Linux interface at super user privilege.

CVSS Base Score : 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Resolution

To remediate the vulnerability, Cohesity recommends upgrading the cluster to 6.3.1g, 6.5.1c. If running 6.4.1c contact support for patch. Customers currently on release 6.5.1c or above, 6.6 or later are not vulnerable to this issue and can disregard this advisory.

Additional Information:

The vulnerability can be mitigated by restricting the ssh to trusted hosts only using the host firewall feature supported on the Cohesity DataPlatform.

Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support. email: support@cohesity.com

Vulnerability Type

Incorrect Access Control

Vendor of Product

Cohesity, Inc

Affected Product Code Base

Cohesity DataPlatform - Affected versions are Cohesity DataPlatform versions 6.3 prior to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b.

Affected Component

SSH Access

Attack Type

Remote

Impact Information Disclosure

True

Attack Vectors

To exploit the vulnerability attacker needs network access to cluster

Has vendor confirmed or acknowledged the vulnerability?

True

Discoverer

Cohesity acknowledges the efforts of Karlsruhe Institute of Technology researchers Thorsten Tuellmann and Heiko Reese who identified the vulnerability and participated in its responsible disclosure.