Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

By Chris Mellor


Three vulns in Dell EMC’s Data Protection Suite product that can combine to fully compromise a virtual appliance have been patched by the vendor.

Security consultancy Digital Defense Inc, which sniffed them out, said Dell EMC Avamar Server, NetWorker Virtual Edition and the Integrated Data Protection Appliance had a common component in Avamar Installation Manager (AVI). It's AVI that is affected by the three bugs.

Digital Defense said the three vulnerabilities included:

  1. An Authentication Bypass in SecurityService; an
  2. Authenticated Arbitrary File Access in UserInputService; and an
  3. Authenticated File Upload in UserInputService.

The researchers said that a login to the Avatar service involved user authentication – which was performed via a POST request that included a username, password, and wsUrl parameter. Digital Defense explained, for example, the wsURL parameter could be an arbitrary URL that the Avamar server would send an authentication SOAP request to, which included the user provided username and password. If the Avamar server received a successful SOAP response, it would return a valid session ID. An attacker exploiting the vuln thus would not require any specific knowledge about the targeted Avamar server to generate the successful SOAP response: a generic, validly formed SOAP response would work for multiple Avamar servers.

All three vulnerabilities could be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service. The web shell could also run commands with the same privileges as the "admin" user, the researchers said.

The weakness are referred to as an authentication bypass vulnerability (CVE-2017-15548), an arbitrary file upload vuln (CVE-2017-15549), and a path traversal vuln (CVE-2017_15550).

Dell's security advisory is here (ESA-2018-001, but requires Dell EMC Online Support credentials).

Mike Cotton, vice president of engineering at Digital Defense, said Dell EMC had worked with his firm to "identify additional product versions impacted and collaborated to resolve and verify the fixes for the security issues".

A Dell spokesperson sent us a statement:

"Dell EMC is aware of the identified vulnerabilities; we’ve prepared security fixes to address them and alerted our customers." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Isilon-owning Dell OEMs Isilon rival Elastifile's flash 'n' trash NAS

PowerEdge software deal 'purely fulfilment'. U ok hun?

Dell sell-off saga gets weird: Subsidiary VMware may buy parent in 'reverse merger'

Buy-out would let Big Mike swerve IPO headaches

All is swell at Dell: Look, first storage share gain since closing EMC deal

Server/networking revenues receive a 41% bump

Dell EMC shoves more VMware in hybrid cloud, hyperconverged stuff

Best buds working together on a bunch of enhancements

Will Dell eat VMware? Or will Carl Icahn snack on Dell? And where does Uber fit in? Yes, Uber!

Let’s get up to date on the crazy world of reverse mergers

Qumulo needed EMEA crew, and an ex-Isilon bunch worked out nicely

HPE reselling deal using Apollo hardware extended to Europe

Dell confirms: We're either going public – or VMware's gobbling us (or nothing will happen)

SEC doc follows IPO, reverse-merge rumors

Dell EMC in bid to clap trade secrets injunction on staff now at Rubrik

Alleges ex-sales bods copied files and solicited former clients

Penetration tester pokes six holes in Dell EMC's RecoverPoint products

Three fixed, including critical remote code execution bug

Three become one: Dell EMC's VxBlock range is now a seriously big iron

Composable infrastructure kit doubles down on Cisco servers