Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

By Chris Mellor


Three vulns in Dell EMC’s Data Protection Suite product that can combine to fully compromise a virtual appliance have been patched by the vendor.

Security consultancy Digital Defense Inc, which sniffed them out, said Dell EMC Avamar Server, NetWorker Virtual Edition and the Integrated Data Protection Appliance had a common component in Avamar Installation Manager (AVI). It's AVI that is affected by the three bugs.

Digital Defense said the three vulnerabilities included:

  1. An Authentication Bypass in SecurityService; an
  2. Authenticated Arbitrary File Access in UserInputService; and an
  3. Authenticated File Upload in UserInputService.

The researchers said that a login to the Avatar service involved user authentication – which was performed via a POST request that included a username, password, and wsUrl parameter. Digital Defense explained, for example, the wsURL parameter could be an arbitrary URL that the Avamar server would send an authentication SOAP request to, which included the user provided username and password. If the Avamar server received a successful SOAP response, it would return a valid session ID. An attacker exploiting the vuln thus would not require any specific knowledge about the targeted Avamar server to generate the successful SOAP response: a generic, validly formed SOAP response would work for multiple Avamar servers.

All three vulnerabilities could be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service. The web shell could also run commands with the same privileges as the "admin" user, the researchers said.

The weakness are referred to as an authentication bypass vulnerability (CVE-2017-15548), an arbitrary file upload vuln (CVE-2017-15549), and a path traversal vuln (CVE-2017_15550).

Dell's security advisory is here (ESA-2018-001, but requires Dell EMC Online Support credentials).

Mike Cotton, vice president of engineering at Digital Defense, said Dell EMC had worked with his firm to "identify additional product versions impacted and collaborated to resolve and verify the fixes for the security issues".

A Dell spokesperson sent us a statement:

"Dell EMC is aware of the identified vulnerabilities; we’ve prepared security fixes to address them and alerted our customers." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

If you're using Dell EMC Avamar, even in VMware's vSphere, you need to grab and install these security updates

Unless you want your private key to leak, watch miscreants inject commands, etc

Dell's hokey cokey IPO takes new turn – VMware in, VMware out....

Investor roadshow delayed as Mick D considers alternative plan

Dell EMC plucks Tech Data distie man Tomlin to run UK channels

Updated Latest exec hired to make the direct sales conflict go away

EMC adopts cloudy and VMware-friendly kit at VMworld Vegas shindig

VMworld US Data Domain and VxRAIL to the fore against a multi-cloud backdrop

Hard to imagine Google, Facebook building AI without (checks notes) Dell EMC's Data Science Provisioning Portal

If you want to do some ML, and you've got a fat budget, they've got some tech to sell you

Dell Tech: We'll let shareholders vote on VMware deal in Q4

Icahn hardly believe it

Dell EMC and more HPE arrays embrace storage-class memory

Exclusive Soon every vendor will want to be a SCMbag

Isilon-owning Dell OEMs Isilon rival Elastifile's flash 'n' trash NAS

PowerEdge software deal 'purely fulfilment'. U ok hun?

Dell EMC better watch out, HPE better not frown, Chinese server sales are talk of the town

Inspur, Huawei and Lenovo together shipped more in 2018

Dell EMC spills beans on plans for storage-class memory in PowerMax

Let them eat cache