March 31, 2021 FN47
A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions can allow an attacker to Man-in-the-middle (MITM) support channel UI session to Cohesity DataPlatform cluster.
This vulnerability could expose the Cohesity cluster UI password when used by the Cohesity support engineer over the support channel. Support channel only uses public-key authentication to access SSH on customer systems, the same attack is not possible against SSH because of the way the session key is agreed upon.
CVSS 3.1 BASE score 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
To remediate the vulnerability, Cohesity recommends applying the patch 6.3.1g-Hotfix1 if running 6.3.1g or 6.4.1c-Hotfix10 if running 6.4.1c or upgrading the cluster to 6.5.1c or later. Customers currently on release 6.5.1c or above are not vulnerable to this issue and can disregard this notice.
Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support. email: support@cohesity.com
Incorrect Access Control
Cohesity, Inc
Cohesity DataPlatform - Affected versions are Cohesity DataPlatform versions 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b.
Support Channel
Remote
True
To exploit the vulnerability, the customer cluster needs to be on the support channel for active support.
True
Cohesity acknowledges the efforts of Karlsruhe Institute of Technology researchers Thorsten Tuellmann and Heiko Reese who identified the vulnerability and participated in its responsible disclosure.