CVE-2020-26199

Vulnerability

Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a plain-text password storage vulnerability. User credentials, including the Unisphere admin privilege user password, are stored in clear text in multiple log files [1]. The affected product versions are all releases before the specified patched version.

Exploitation

A local authenticated attacker with access to the log files can read the plain-text passwords. The attacker must have local access to the system and the ability to read the log files where credentials are stored. The CVSS vector indicates the attack complexity is high and privileges required are high, but no user interaction is needed [1].

Impact

An attacker who successfully exploits this vulnerability can use the exposed passwords to gain access with the privileges of the compromised user. This can lead to full compromise of confidentiality, integrity, and availability of the affected system, as reflected by the CVSS score of 6.4 (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

Dell has released a security update to address this vulnerability. The fix is included in Dell EMC Unity Operating Environment (OE) version 5.0.4.0.5.012 and later [1]. Users should apply the update as soon as possible. No workarounds are documented in the available references.