Security News

EMC AutoStart Buffer Overflow (Aug 29, 2012)

By

EMC AutoStart provides high availability within multiple operating systems including UNIX, LINUX, and Microsoft Windows for Oracle, Microsoft Exchange, and SQL Server clustered environments. AutoStart monitors application, networks, servers, and storage and automates application restart on an alternate server-local or remote-in the event of a planned or unplanned service outage. On request, AutoStart automates failback of services, applications, and data quickly and efficiently to ensure business continuity.

The EMC AutoStart architecture is built around the concept of nodes, which are grouped in domains. One or more nodes can be grouped to form the AutoStart domain. All operations performed by AutoStart take place within the domain. The node is the basic building block within AutoStart. A node is any machine with an AutoStart agent installed and running. The agent provides the monitoring and management capabilities within the node.

The agent service listens on TCP port 8045 for communication with agents on other nodes. The communication protocol used by the AutoStart agent service is proprietary and not publicly documented. By observing the traffic transferred between AutoStart agents, the following patterns have been identified.

 Offset Size Description ------------------------------------- 0x00   4    unknown 0x04   2    major version number 0x06   2    minor version number 0x08   4    unknown DWORD 0x0c   4    code1 0x10   4    code2 0x14   4    length (x) size of data 0x18   x    data section

Multiple buffer overflow vulnerabilities have been found in EMC AutoStart product. A remote attacker can manipulate the traffic between the agents, such as the header listed above to potentially cause a denial of service, or possibly, execute arbitrary code within the context of the affected application.

Dell SonicWALL UTM team has researched these vulnerabilities and released the following IPS signatures to protect their customers.

  • 7703 EMC AutoStart Buffer Overflow 1
  • 8553 EMC AutoStart Buffer Overflow 2
  • 5512 Server Application Shellcode Exploit 28

The vulnerabilities have been identified as CVE-2012-0409 by CVE.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Microsoft Security Bulletin Coverage for April 2020
Active Android malware campaign steals Credit Card and Banking related information from infected devices (November 5, 2015)
JURASIK Ransomware actively spreading in the wild
MS IE Invalid Pointer Vulnerability (Mar 10, 2010)
WebLogic Node Manager Command Execution (Jan 27, 2010)
HP SiteScope Directory Traversal Vulnerability (Sept 27, 2012)
Apache Httpd Traversal Vulnerability
Angler EK is exploiting Adobe Flash Vulnerability (CVE-2015-5560)