Insertion of Sensitive Information into Log File vulnerability in Hitachi Virtual Storage Platform, Hitachi Virtual Storage Platform VP9500, Hitachi Virtual Storage Platform G1000, G1500, Hitachi Virtual Storage Platform F1500, Hitachi Virtual Storage Platform 5100, 5500, 5100H, 5500H, Hitachi Virtual Storage Platform 5200, 5600, 5200H, 5600H, Hitachi Unified Storage VM, Hitachi Virtual Storage Platform G100, G200, G400, G600, G800, Hitachi Virtual Storage Platform F400, F600, F800, Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, Hitachi Virtual Storage Platform F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H allows local users to gain sensitive information.This issue affects Hitachi Virtual Storage Platform: before DKCMAIN Ver. 70-06-74-00/00, SVP Ver. 70-06-58/00; Hitachi Virtual Storage Platform VP9500: before DKCMAIN Ver. 70-06-74-00/00, SVP Ver. 70-06-58/00; Hitachi Virtual Storage Platform G1000, G1500: before DKCMAIN Ver. 80-06-92-00/00, SVP Ver. 80-06-87/00; Hitachi Virtual Storage Platform F1500: before DKCMAIN Ver. 80-06-92-00/00, SVP Ver. 80-06-87/00; Hitachi Virtual Storage Platform 5100, 5500,5100H, 5500H: before DKCMAIN Ver. 90-08-81-00/00, SVP Ver. 90-08-81/00, before DKCMAIN Ver. 90-08-62-00/00, SVP Ver. 90-08-62/00, before DKCMAIN Ver. 90-08-43-00/00, SVP Ver. 90-08-43/00; Hitachi Virtual Storage Platform 5200, 5600,5200H, 5600H: before DKCMAIN Ver. 90-08-81-00/00, SVP Ver. 90-08-81/00, before DKCMAIN Ver. 90-08-62-00/00, SVP Ver. 90-08-62/00, before DKCMAIN Ver. 90-08-43-00/00, SVP Ver. 90-08-43/00; Hitachi Unified Storage VM: before DKCMAIN Ver. 73-03-75-X0/00, SVP Ver. 73-03-74/00, before DKCMAIN Ver. 73(75)-03-75-X0/00, SVP Ver. 73(75)-03-74/00; Hitachi Virtual Storage Platform G100, G200, G400, G600, G800: before DKCMAIN Ver. 83-06-19-X0/00, SVP Ver. 83-06-20-X0/00, before DKCMAIN Ver. 83-05-47-X0/00, SVP Ver. 83-05-51-X0/00; Hitachi Virtual Storage Platform F400, F600, F800: before DKCMAIN Ver. 83-06-19-X0/00, SVP Ver. 83-06-20-X0/00, before DKCMAIN Ver. 83-05-47-X0/00, SVP Ver. 83-05-51-X0/00; Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900: before DKCMAIN Ver. 88-08-09-XX/00, SVP Ver. 88-08-11-X0/02; Hitachi Virtual Storage Platform F350, F370, F700, F900: before DKCMAIN Ver. 88-08-09-XX/00, SVP Ver. 88-08-11-X0/02; Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H: before DKCMAIN Ver. 93-06-81-X0/00, SVP Ver. 93-06-81-X0/00, before DKCMAIN Ver. 93-06-62-X0/00, SVP Ver. 93-06-62-X0/00, before DKCMAIN Ver. 93-06-43-X0/00, SVP Ver. 93-06-43-X0/00.
The system writes sensitive information — such as authentication credentials or other critical data — to log files in an unprotected manner. A local user with basic privileges (PR:L) can read these files and obtain information to which they should not normally have access. Due to the network vector (AV:N) and lack of user interaction requirements (UI:N), the vulnerability can potentially be exploited remotely by an authenticated user. The obtained data can be used for further actions within the storage infrastructure.
An attacker can gain access to sensitive information contained in log files, which may lead to takeover of the data storage system and violation of data confidentiality, integrity, and availability.
The DKCMAIN and SVP software should be updated to the versions indicated in the vendor's security bulletin (Hitachi Security Information 2022_313). Detailed patch versions for individual models are available at: https://www.hitachi.com/products/it/storage-solutions/sec_info/2024/2022_313.html. It is also recommended to restrict local access to system log files to the minimum necessary (principle of least privilege).
Hitachi Virtual Storage Platform (before DKCMAIN Ver. 70-06-74-00/00, SVP Ver. 70-06-58/00), VP9500, G1000/G1500/F1500 (before DKCMAIN Ver. 80-06-92-00/00, SVP Ver. 80-06-87/00), 5100/5500/5100H/5500H and 5200/5600/5200H/5600H (before DKCMAIN Ver. 90-08-81-00/00 or 90-08-62-00/00 or 90-08-43-00/00), Hitachi Unified Storage VM (before DKCMAIN Ver. 73-03-75-X0/00), G100/G200/G400/G600/G800 and F400/F600/F800 (before DKCMAIN Ver. 83-06-19-X0/00 or 83-05-47-X0/00), G130/G150/G350/G370/G700/G900 and F350/F370/F700/F900 (before DKCMAIN Ver. 88-08-09-XX/00, SVP Ver. 88-08-11-X0/02), E390/E590/E790/E990/E1090/E390H/E590H/E790H/E1090H (before DKCMAIN Ver. 93-06-81-X0/00 or 93-06-62-X0/00 or 93-06-43-X0/00)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H