Skip to main content
Delphix

TB096 Arbitrary Code Execution May Be Performed by Engine System Administrators

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: High

CVSS Score: 8.7

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): H

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): N

Under certain conditions, arbitrary code execution may be performed by sysadmins. Exploitation requires sysadmin privileges. This security bug was discovered internally by Delphix security testing processes.

The local engine configuration can be modified by a sysadmin privilege user in a way that would allow arbitrary commands to be executed.

Contributing Factors

This article applies to the following versions of the Delphix engine:

Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

This is applicable to both the Virtualization Engine and the Masking Engine.

Symptoms

Arbitrary code execution.

Relief/Workaround

Customers can take steps to apply standard security good practice to minimize the likelihood of abuse of this vulnerability:

  1. Ensure the Delphix Engine is deployed on a controlled access network and only appropriately privileged personnel have access to the network and Delphix Engine management interfaces.

  2. Use LDAP authenticated named users to facilitate separation of duties, least privileges, and auditing. Disable the out-of-the-box generic SYSADMIN account as described in the User Management section of the Engine documentation.

  3. If the builtin SYSADMIN account remains enabled, ensure that the credential is managed under a Privileged Access Management procedure.

Delphix highly recommends upgrading to 6.0.13.0 if the engine is on any of the affected releases.

Resolution

This issue is resolved in Delphix release 6.0.13.0

Additional Information

None

Related Documents

N/A