Dell EMC released security updates for Dell EMC Avamar Client Manager in Dell EMC Avamar Server and Dell EMC Integrated Data Protection Appliance (IDPA) to address a critical remote code execution issue and a medium open redirection flaw.
Dell acknowledged the cybersecurity firm TSS for the discovery of the flaws.
The remote code execution vulnerability, tracked as CVE-2018-11066, could be exploited by a remote unauthenticated attacker to execute arbitrary commands on the vulnerable server.
Affected versions are Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2.
“Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain a Remote Code Execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.” reads the security advisory published.
The vulnerability received a CVSS v3 Base Score of 9.8.
The second issue, tracked as CVE-2018-11067 can be exploited by an unauthenticated attacker to redirect users to arbitrary URLs by tricking them into clicking on a specially crafted link.
Dell also disclosed a high severity information exposure vulnerability, tracked as CVE-2018-11076, that affects the above products. The flaw could be exploited by attackers to compromise the vulnerable systems, it affects Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and 7.4.1 and Dell EMC Integrated Data Protection Appliance (IDPA) 2.0.
“Dell EMC Avamar and IDPA are affected by an Information Exposure vulnerability that may potentially be exploited by an attacker to compromise the affected systems.” reads the security advisory published by the company.
“Avamar Java management console’s SSL/TLS private key may be leaked in the Avamar Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.”
Since VMware vSphere Data Protection (VDP) is based on the Avamar Virtual Edition, it is also affected by the flaws. The virtualization giant published a security advisory to inform its customers that the issues affect the VDP 6.0.x and 6.1.x..
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – RCE, Dell EMC Avamar)
[adrotate banner=”5″]
[adrotate banner=”13″]
A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…
China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…
The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that…
Cybersecurity Observatory of the Unipegaso's malware lab published a detailed analysis of the Sarcoma ransomware.…
Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…
Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…
This website uses cookies.
