Hardcoded credentials in the Dell Compellent storage array service could enable attackers to take over enterprise VMware environments for any organizations running those two services in collaboration.
Dell Compellent reached its end of life in 2019, and holds less than a 1% share of the data storage market, according to Enlyft. However, organizations still using Dell storage integrated with VMware environments need be aware of CVE-2023-39250, a “high” impact vulnerability affecting these systems.
At DEF CON 31 on Friday, Tom Pohl, penetration testing team manager at LMG Security, will demonstrate how an attacker inside of an enterprise network can identify and decode a private key associated with VMware’s centralized management utility through Dell Compellent, enabling full takeover of a VMware environment.
But it’s not only that: Because the key is the same for every Dell customer, a compromise at one organization could seamlessly translate to a compromise at any other.
As Pohl puts it, “This is just a real concrete example of how a private key in software can lead to complete network compromise of your organization.”
Hardcoded Private Keys in Dell Compellent
In integrating the two services, Dell requires administrator credentials for VMware vCenter, the platform used for managing VMware environments. But the Dell software stores those credentials in its config files.
Pohl only found that out by accident, while working with a client’s network. “When I got into the device in question, I thought: ‘Hey, there’s a username and password in here,'” he recalls.
At least the credentials weren’t stored in clear text. But Pohl decompiled the Java class he guessed might have been responsible for the decryption, easily discovering an AES static key stored in the source code.
After a little bit of reverse engineering using CyberChef, “all of a sudden, out popped a clear text password. And I took that username and password that I got from the Dell Compellent software, went to the vCenter login, and I literally logged in and took over their entire environment.”
It wasn’t merely that Pohl possessed the same vCenter admin access as the Dell software, with the ability to observe, steal, or manipulate all of the data contained within. As he emphasized in a press release: “This key is the same for EVERY customer! If a criminal leverages this vulnerability, they could use it against any of Dell’s customers.”
No Patch for CVE-2023-39250 Security Vulnerability Yet
Despite passing the 90-day responsible disclosure window, LMG Security expects Dell to issue a patch only sometime in the fall. The delay may be due to the complexity of designing a sufficient fix, Pohl posits.
It may also, in part, have to do with Compellent’s end of life status. According to Dell’s documentation, “the right of the customer to use the software beyond the end of life does not obligate Dell to provide continued support or maintenance beyond end of life.”
In the meantime, organizations still running these systems should “definitely harden their environments,” Pohl advises. “The standard user shouldn’t be able to talk to an important piece of infrastructure between your storage platform and your vCenter. The network should be segmented in such a way where a malicious user can’t even get to that point.”
Dell noted in a statement to Dark Reading that companies can implement a workaround: “Dell Technologies released instructions for a full workaround to address a vulnerability in the Dell Storage Compellent Integration Tools for VMware product. Customers should review Dell Security Advisory DSA-2023-282 at their earliest convenience for details. The security of our products is a top priority and critical to protecting our customers.”