Security

Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

By Chris Mellor

3 SHARE

Three vulns in Dell EMC’s Data Protection Suite product that can combine to fully compromise a virtual appliance have been patched by the vendor.

Security consultancy Digital Defense Inc, which sniffed them out, said Dell EMC Avamar Server, NetWorker Virtual Edition and the Integrated Data Protection Appliance had a common component in Avamar Installation Manager (AVI). It's AVI that is affected by the three bugs.

Digital Defense said the three vulnerabilities included:

  1. An Authentication Bypass in SecurityService; an
  2. Authenticated Arbitrary File Access in UserInputService; and an
  3. Authenticated File Upload in UserInputService.

The researchers said that a login to the Avatar service involved user authentication – which was performed via a POST request that included a username, password, and wsUrl parameter. Digital Defense explained, for example, the wsURL parameter could be an arbitrary URL that the Avamar server would send an authentication SOAP request to, which included the user provided username and password. If the Avamar server received a successful SOAP response, it would return a valid session ID. An attacker exploiting the vuln thus would not require any specific knowledge about the targeted Avamar server to generate the successful SOAP response: a generic, validly formed SOAP response would work for multiple Avamar servers.

All three vulnerabilities could be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service. The web shell could also run commands with the same privileges as the "admin" user, the researchers said.

The weakness are referred to as an authentication bypass vulnerability (CVE-2017-15548), an arbitrary file upload vuln (CVE-2017-15549), and a path traversal vuln (CVE-2017_15550).

Dell's security advisory is here (ESA-2018-001, but requires Dell EMC Online Support credentials).

Mike Cotton, vice president of engineering at Digital Defense, said Dell EMC had worked with his firm to "identify additional product versions impacted and collaborated to resolve and verify the fixes for the security issues".

A Dell spokesperson sent us a statement:

"Dell EMC is aware of the identified vulnerabilities; we’ve prepared security fixes to address them and alerted our customers." ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Dell's hokey cokey IPO takes new turn – VMware in, VMware out....

Investor roadshow delayed as Mick D considers alternative plan

Dell EMC plucks Tech Data distie man Tomlin to run UK channels

Updated Latest exec hired to make the direct sales conflict go away

EMC adopts cloudy and VMware-friendly kit at VMworld Vegas shindig

VMworld US Data Domain and VxRAIL to the fore against a multi-cloud backdrop

Hard to imagine Google, Facebook building AI without (checks notes) Dell EMC's Data Science Provisioning Portal

If you want to do some ML, and you've got a fat budget, they've got some tech to sell you

Isilon-owning Dell OEMs Isilon rival Elastifile's flash 'n' trash NAS

PowerEdge software deal 'purely fulfilment'. U ok hun?

Dell EMC has me-too moment with three new ME4 PowerVault arrays

Low-end SAN/DAS boxen aimed at smaller biz

Dell sell-off saga gets weird: Subsidiary VMware may buy parent in 'reverse merger'

Buy-out would let Big Mike swerve IPO headaches

All is swell at Dell: Look, first storage share gain since closing EMC deal

Server/networking revenues receive a 41% bump

Dell EMC shoves more VMware in hybrid cloud, hyperconverged stuff

Best buds working together on a bunch of enhancements

Qumulo needed EMEA crew, and an ex-Isilon bunch worked out nicely

HPE reselling deal using Apollo hardware extended to Europe