If you're using Dell EMC Avamar, even in VMware's vSphere, you need to grab and install these security updates
Unless you want your private key to leak, watch miscreants inject commands, etc
Get patching: data protection offerings in the Dell EMC Avamar range have four exploitable security bugs – one enabling remote code execution – and VMware's inherited the vulnerabilities, with fixes now available.
The first two bugs were described in this post on the Full Disclosure mailing list on Tuesday. There's one remote code execution (RCE) vulnerability (CVE-2018-11066), and one open redirection vulnerability (CVE-2018-11067). Nine Dell Avamar releases – six versions of its server, and three integrated data protection appliances – are affected, and patches for all versions are available from support.emc.com.
Details on the RCE were scant, but we're told it can be exploited by an unauthenticated attacker to run arbitrary commands on the server. So, total pwnage, then. The open redirect bug would be useful to attackers bent on a phishing campaign: “A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links,” the Dell advisory stated.
I've got the key, I've got the secret
CVE-2018-11076 is a nasty information disclosure bug in the Avamar Java management client package – it can be leveraged to leak the management console's SSL/TLS private key. That exposes the management console to man-in-the-middle attacks by unauthenticated users on the “same data link layer” (that is, the same network.)
CVE-2018-11077 is an operating system command injection vulnerability that affects nine versions of the Avamar server, and three data protection appliance variants. The post explained the bug was in the products'
getlogs utility, and would allow a malicious Avamar admin to “execute arbitrary commands under root privilege.”
VMware's advisory said its Avemar-based vSphere Data Protection products, versions 6.0.x and 6.1.x, need patches against the four bugs.
The security holes were turned up by Australian security research outfit TSS Cyber.
As SANS Senior ISC Handler Xavier Mertens remarked, “This is a perfect example of how a product 'A' can affect a product 'B' when technologies are reused across multiple solutions.” ®