Dell EMC patches 3 zero-days in Data Protection Suite
Could combine to 'fully compromise' virtual appliance, researchers warn
Three vulns in Dell EMC’s Data Protection Suite product that can combine to fully compromise a virtual appliance have been patched by the vendor.
Security consultancy Digital Defense Inc, which sniffed them out, said Dell EMC Avamar Server, NetWorker Virtual Edition and the Integrated Data Protection Appliance had a common component in Avamar Installation Manager (AVI). It's AVI that is affected by the three bugs.
Digital Defense said the three vulnerabilities included:
- An Authentication Bypass in SecurityService; an
- Authenticated Arbitrary File Access in UserInputService; and an
- Authenticated File Upload in UserInputService.
The researchers said that a login to the Avatar service involved user authentication – which was performed via a POST request that included a username, password, and wsUrl parameter. Digital Defense explained, for example, the wsURL parameter could be an arbitrary URL that the Avamar server would send an authentication SOAP request to, which included the user provided username and password. If the Avamar server received a successful SOAP response, it would return a valid session ID. An attacker exploiting the vuln thus would not require any specific knowledge about the targeted Avamar server to generate the successful SOAP response: a generic, validly formed SOAP response would work for multiple Avamar servers.
All three vulnerabilities could be combined to fully compromise the virtual appliance by modifying the
sshd_config file to allow root login, uploading a new
authorized_keys file for root, and a web shell to restart the SSH service. The web shell could also run commands with the same privileges as the "admin" user, the researchers said.
The weakness are referred to as an authentication bypass vulnerability (CVE-2017-15548), an arbitrary file upload vuln (CVE-2017-15549), and a path traversal vuln (CVE-2017_15550).
Dell's security advisory is here (ESA-2018-001, but requires Dell EMC Online Support credentials).
Mike Cotton, vice president of engineering at Digital Defense, said Dell EMC had worked with his firm to "identify additional product versions impacted and collaborated to resolve and verify the fixes for the security issues".
A Dell spokesperson sent us a statement:
"Dell EMC is aware of the identified vulnerabilities; we’ve prepared security fixes to address them and alerted our customers." ®