MidnightBSD

Advisories for exagrid

CVE-2016-1560 HIGH

ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
exagrid ex40000e_firmware 4.8
exagrid ex10000e_firmware 4.8
exagrid ex5000_firmware 4.8
exagrid ex13000e_firmware 4.8
exagrid ex21000e_firmware 4.8
exagrid ex3000_firmware 4.8
exagrid ex32000e_firmware 4.8
exagrid ex7000_firmware 4.8
CVE-2016-1561 MEDIUM

ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
exagrid ex40000e_firmware 4.8
exagrid ex10000e_firmware 4.8
exagrid ex5000_firmware 4.8
exagrid ex13000e_firmware 4.8
exagrid ex21000e_firmware 4.8
exagrid ex3000_firmware 4.8
exagrid ex32000e_firmware 4.8
exagrid ex7000_firmware 4.8
CVE-2019-12310 MEDIUM

ExaGrid appliances with firmware version v4.8.1.1044.P50 have a /monitor/data/Upgrade/ directory traversal vulnerability, which allows remote attackers to view and retrieve verbose logging information. Files within this directory were observed to contain sensitive run-time information, including Base64 encoded 'support' credentials, leading to administrative access of the device.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
exagrid backup_appliance_firmware 48.1.1044.p50