Dell RecoverPoint for Virtual Machines 5.3.x, 6.0.SP1 contains a brute force/dictionary attack vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to launch a brute force attack or a dictionary attack against the RecoverPoint login form. This allows attackers to brute-force the password of valid users in an automated manner.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Recoverpoint_for_virtual_machines | Dell | 5.3-sp2 (including) | 5.3-sp2 (including) |
| Recoverpoint_for_virtual_machines | Dell | 5.3-sp2_p1 (including) | 5.3-sp2_p1 (including) |
| Recoverpoint_for_virtual_machines | Dell | 5.3-sp2_p2 (including) | 5.3-sp2_p2 (including) |
| Recoverpoint_for_virtual_machines | Dell | 5.3-sp2_p4 (including) | 5.3-sp2_p4 (including) |
| Recoverpoint_for_virtual_machines | Dell | 5.3-sp3_p1 (including) | 5.3-sp3_p1 (including) |
| Recoverpoint_for_virtual_machines | Dell | 5.3-sp3_p2 (including) | 5.3-sp3_p2 (including) |
| Recoverpoint_for_virtual_machines | Dell | 6.0-sp1 (including) | 6.0-sp1 (including) |
Common protection mechanisms include:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]