Dell EMC informed its customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products are affected by vulnerabilities that can be chained by an attacker to take complete control of a target system.
The flaws reside in the Avamar Installation Manager (AVI) component that is present in all the products.
The vulnerabilities were discovered by the experts at the consultancy firm Digital Defense Inc, the three issues included:
Dell published a security advisory is ESA-2018-001, that could be accessible by customers having Dell EMC Online Support credentials.
The most severe issue tracked as CVE-2017-15548 could be exploited by a remote attacker to bypass authentication and gain root access to the system.
The flaw is related to the authentication process that is implemented via a POST request including the username, password and a parameter named wsUrl.
“User authentication is performed via a POST that includes username, password and wsURL parameters. The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to, that includes the user provided username and password,” reads the analysis published by Digital Defense. “If the Avamar server receives a successful SOAP response, it will return a valid session ID. The attacker doesn’t require any specific knowledge about the targeted Avamar server to generate the successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.”
The second flaw, tracked as CVE-2017-15549, could be exploited by an authenticated attacker with low privileges to upload malicious files to the server.
“Authenticated users can upload arbitrary files to arbitrary locations with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” continues the analysis.
“The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the ‘\r’ character. The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.”
The third vulnerability tracked as CVE-2017-15550 is a path traversal issue that allows an authenticated attacker with low privileges to access arbitrary files on the server.
“Authenticated users can download arbitrary files with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” states the analysis.
“The getFileContents method of the UserInputService class doesn’t perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability.”
By chaining the three vulnerabilities a remote attacker could take complete control of a vulnerable system.
Affected products are:
EMC has released security fixes that address all the flaws.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Dell Data Protection Appliance, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
This website uses cookies.