Insufficient certificate validation in EMC Secure Remote Services Virtual Edition

Abstract

It was discovered that the server certificate validation checks performed by EMC Secure Remote Services Virtual Edition are insecure. Weak certificate validation allows attackers to perform a man in the middle attack against ESRS connections. This allows for eavesdropping on, and spoofing of provisioned devices in ESRS VE (including but not limited to home calls to the ESRS portal esrs.emc.com).

Affected versions

EMC reports that the following versions are affected by this vulnerability:

  • EMC Secure Remote Services Virtual Edition 3.02
  • EMC Secure Remote Services Virtual Edition 3.03
  • EMC Secure Remote Services Virtual Edition 3.04

See also

Fix

EMC released EMC Secure Remote Services Virtual Edition 3.06 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at:

EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads

Introduction

EMC Secure Remote Services (ESRS) is a two-way remote connection between EMC Customer Service and your EMC products and solutions. ESRS maintains connectivity with your EMC products around the clock and automatically notifies EMC if a problem or potential problem occurs. If troubleshooting is necessary, an authorized and authenticated EMC Customer Service professional uses the secure connection to establish a remote session to diagnose, and if necessary, to repair your EMC products and solutions.

The certificate validation used by the Java classes CertificateRequest & CertificateResponse is insufficient. These classes both call the isCertValid() method of the CertificateValidation class. Certificate validation is done on certificate properties that can be spoofed easily. Consequently, these validation checks do not provide any security at all. The validation logic is listed below.

com/emc/esrs/provisioning/util/CertificateValidation.java

public static boolean isCertValid(String openSSLPath, String certFile)
	throws IOException, ParseException
{
	Map certAttributes = getCertAttributes(openSSLPath, certFile);
	
	for (Map.Entry entry : certAttributes.entrySet()) {
		String key = (String)entry.getKey();
		Object value = entry.getValue();
		logger.debug(key + " " + value.toString());
	}
	Date currentDate = new Date();
	if ((currentDate.before((Date)certAttributes.get("startDate"))) || 
			(currentDate.after((Date)certAttributes.get("endDate")))) {
		logger.debug("Certificate date not valid");
		return false;
	}
	if (!certAttributes.get("issuer").toString().equalsIgnoreCase("EMC Corporation")) {
		logger.debug("Certificate issuer not valid");
		return false;
	}
	
	if (!certAttributes.get("**subject**").toString().equalsIgnoreCase("emc.com")) {
		logger.debug("Certificate subject not valid");
		return false;
	}
	
	return true;
}

Weak certificate validation allows attackers to perform a man in the middle attack against ESRS connections. This allows for eavesdropping on, and spoofing of provisioned devices in ESRS VE (including but not limited to home calls to the ESRS portal esrs.emc.com).

Vragen of feedback?