March 31, 2021 FN47
Man-in-the-middle Vulnerability in Cohesity Support Channel [CVE-2021-28124]
Problem Description
A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions can allow an attacker to Man-in-the-middle (MITM) support channel UI session to Cohesity DataPlatform cluster.
Impact
This vulnerability could expose the Cohesity cluster UI password when used by the Cohesity support engineer over the support channel. Support channel only uses public-key authentication to access SSH on customer systems, the same attack is not possible against SSH because of the way the session key is agreed upon.
CVSS 3.1 BASE score 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
Resolution
To remediate the vulnerability, Cohesity recommends applying the patch 6.3.1g-Hotfix1 if running 6.3.1g or 6.4.1c-Hotfix10 if running 6.4.1c or upgrading the cluster to 6.5.1c or later. Customers currently on release 6.5.1c or above are not vulnerable to this issue and can disregard this notice.
Additional Information:
Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support. email: support@cohesity.com
Vulnerability Type
Incorrect Access Control
Vendor of Product
Cohesity, Inc
Affected Product Code Base
Cohesity DataPlatform - Affected versions are Cohesity DataPlatform versions 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b.
Affected Component
Support Channel
Attack Type
Remote
Impact Information Disclosure
True
Attack Vectors
To exploit the vulnerability, the customer cluster needs to be on the support channel for active support.
Has vendor confirmed or acknowledged the vulnerability?
True
Discoverer
Cohesity acknowledges the efforts of Karlsruhe Institute of Technology researchers Thorsten Tuellmann and Heiko Reese who identified the vulnerability and participated in its responsible disclosure.