CVE-2022-41629 The 00.00.01a versions of the Device Master from DEI allow unauthenticated users to access the endpoint, which could allow an attacker to retrieve any file from the "RunningConfigs" directory.

The 00.00.01a and prior versions of the Device Master also allow unauthenticated users to view and change the “MachineName” property. This could allow an attacker to change the name of the Device Master, which could cause confusion and make it harder to troubleshoot issues.

In the 00.00.02a and prior versions, Device Master does not enforce the minimum length for the “MachineName” property. This allows attackers to change the name to something like “IMPORTANT_MAILMAN_SERVER_HOSTNAME”, which could lead to a misconfiguration or inaccurate reporting. The 00.00.01a and prior versions also allow unauthenticated users to update the “MachinePassword” property, which could allow an attacker to access the Device Master and change the Device Master password.

Summary of Vulnerable Packages

Starting with 00.00.01a and prior versions of the Device Master, there is a vulnerability due to the minimum length not being enforced on the “MachineName” property. This allows attackers to change it to something like “IMPORTANT_MAILMAN_SERVER_HOSTNAME”, which could lead to misconfiguration or inaccurate reporting. The 00.00.01a and prior versions also allow unauthenticated users to update the “MachinePassword” property, which could allow an attacker to access the Device Master and change the Device Master password.

Vulnerability Description

The Device Master application on VMware vSphere allows users to manage ESXi hosts and virtual machines. The Device Master app is vulnerable to multiple vulnerabilities that would allow unauthenticated users to access the device master and perform actions such as changing machine names or passwords.

Chassis and/or Switches

When properly configured, the Device Master is not susceptible to these types of security vulnerabilities.
The 00.00.01a and prior versions of the Device Master also do not force a password change at the end of a password. This could allow an attacker to reset the password for a new device without having access to the master credentials.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/02/2022 12:59:00 UTC

References

• https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41629