In default installations of Microchip maxView Storage Manager (for Adaptec Smart Storage Controllers) where Redfish server is configured for remote system management, unauthorized access can occur, with data modification and information disclosure. This affects 3.00.23484 through 4.14.00.26064 (except for the patched versions 3.07.23980 and 4.07.00.25339).
In default configurations of maxView Storage Manager software where the Redfish server is enabled for remote system management, there is a possibility of gaining unauthorized access. The vulnerability results from improper access control (CWE-284), which allows an attacker to bypass authentication and authorization mechanisms. Access occurs over the network without the attacker needing to possess any privileges or require user interaction.
An attacker can remotely modify data stored in the system without authentication and gain access to sensitive information, which threatens the integrity and confidentiality of managed storage resources.
Software should be updated to version 3.07.23980 or 4.07.00.25339, which contain a fix for this vulnerability. If an update is not possible immediately, consider disabling the Redfish server or restricting access to the management interface at the network level (firewall). Details are available in the manufacturer's references.
Microchip maxView Storage Manager (for Adaptec Smart Storage controllers) in versions from 3.00.23484 to 4.14.00.26064, excluding patched versions: 3.07.23980 and 4.07.00.25339. Affects installations with an active Redfish server configured for remote system management.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrochip Maxview Storage Manager
APPMicrochip3.00.23484 – 4.14.00.26064
Related vulnerabilities
Nieautoryzowany dostęp w maxView Storage Manager via Redfish Server
A vulnerability has been identified in SIMATIC IPC1047 (All versions), SIMATIC IPC1047E (All versions with max...
XSS w Microchip TimePictra – wstrzyknięcie złośliwego skryptu
Brak uwierzytelnienia dla funkcji krytycznych w Microchip TimePictra
RCE przez buffer overflow w serwerze DHCP Microchip Advanced Software Framework