WDC Tracking Number: WDC-19008
Published: June 6, 2019
Last Updated: June 6, 2019
A vulnerability in the IntelliFlash System Management Console could allow an authenticated admin-privileged account to retrieve sensitive information.
This vulnerability affects IntelliFlash OS software versions from 3.7.0 up to and including 3.9.1 running on IntelliFlash All-Flash and Hybrid Storage Arrays, including HA, T-3xxx and T-4xxx series, HD-series and N-series systems.
Western Digital is releasing software updates to address the vulnerability.
The IntelliFlash web-based management interface improperly sends third-party system usernames and passwords to authenticated users of the interface. While the information sent is not displayed in the interface, it is present, and an authenticated administrator of the array could exploit this vulnerability by inspecting the source of the web-based management interface. A successful exploit would allow the retrieval of these usernames and passwords from the array.
Exposed System Credentials
CVE Number: CVE-2019-6464
Reported by: Thiago Campos of Bishop Fox