DELL ESI (Enterprise Storage Integrator) for SAP LAMA, version 10.0, contains an information disclosure vulnerability in EHAC component. An remote unauthenticated attacker could potentially exploit this vulnerability by eavesdropping the network traffic to gain admin level credentials.
The vulnerability results from transmitting sensitive information (including login credentials) without proper encryption (CWE-319 – Cleartext Transmission of Sensitive Information). An attacker in a network eavesdropping position can intercept the transmission and read administrator authentication data from it. No authorization or user interaction on the victim's side is required.
An attacker can obtain administrator-level credentials, which in practice means complete takeover of the Dell ESI for SAP LAMA environment — leading to violation of confidentiality, integrity, and availability of data and systems managed by this software.
Apply patches available from the vendor according to references — Dell published security update DSA-2023-299 available at: https://www.dell.com/support/kbdoc/en-us/000216654/
Dell Enterprise Storage Integrator (ESI) for SAP LAMA, version 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDell Enterprise Storage Integrator For Sap Landscape Management
APPDell< 10.0.0.0
Related vulnerabilities
DELL ESI (Enterprise Storage Integrator) for SAP LAMA, version 10.0, contains an information disclosure vulner...
Dell RecoverPoint for VMs — zahardkodowane dane uwierzytelniające (RCE, root)
RCE w Dell Wyse Management Suite — akceptacja niezaufanych danych
Dell ECS / ObjectScale — podatność hard-coded credentials umożliwiająca dostęp do systemu plików
Nieprawidłowa kontrola dostępu w Dell Data Lakehouse — Elevation of Privileges