EMC CMCNE Directory Traversal Vulnerability

January 30, 2014

EMC Connectrix Manager Converged Network Edition (CMCNE) is a centralized management tool of the SAN environments and other product configuration applications. It can be used to control and protect user passwords and port access; monitor port-level statistics; and automatically record system events and networked storage fabric configuration changes.

CMCNE incorporates WildFly, formerly known as JBoss, for its custom web applications. JBoss provides a full Java Enterprise Edition (JEE) stack. The web application module access provided by CMCNE has the following format:

   [filename] [directory]   

An arbitrary file upload vulnerability exists in the EMC Connectrix Manager Converged Network Edition (CMCNE). An unauthenticated user can take use of this vulnerability to copy any file of any type to an arbitrary location on the server, which can lead to information disclosure, denial of service, and eventually arbitrary code execution when combined with other features/vulnerabilities of the product.

Dell SonicWALL Threat team has researched this vulnerability and released the following IPS signatures to address this issue.

  • 5550 EMC CMCNE Directory Traversal 1
  • 5630 EMC CMCNE Directory Traversal 2

This vulnerability is referred by CVE as CVE-2013-6810.