Dell EMC informed its customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products are affected by 3 zero-day flaws.
Dell EMC informed its customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products are affected by vulnerabilities that can be chained by an attacker to take complete control of a target system.
The flaws reside in the Avamar Installation Manager (AVI) component that is present in all the products.
- An Authentication Bypass in SecurityService; an
- Authenticated Arbitrary File Access in UserInputService; and an
- Authenticated File Upload in UserInputService.
The most severe issue tracked as CVE-2017-15548 could be exploited by a remote attacker to bypass authentication and gain root access to the system.
The flaw is related to the authentication process that is implemented via a POST request including the username, password and a parameter named wsUrl.
“User authentication is performed via a POST that includes username, password and wsURL parameters. The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to, that includes the user provided username and password,” reads the analysis published by Digital Defense. “If the Avamar server receives a successful SOAP response, it will return a valid session ID. The attacker doesn’t require any specific knowledge about the targeted Avamar server to generate the successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.”
The second flaw, tracked as CVE-2017-15549, could be exploited by an authenticated attacker with low privileges to upload malicious files to the server.
“Authenticated users can upload arbitrary files to arbitrary locations with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” continues the analysis.
“The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the ‘r’ character. The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.”
The third vulnerability tracked as CVE-2017-15550 is a path traversal issue that allows an authenticated attacker with low privileges to access arbitrary files on the server.
“Authenticated users can download arbitrary files with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” states the analysis.
“The getFileContents method of the UserInputService class doesn’t perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability.”
By chaining the three vulnerabilities a remote attacker could take complete control of a vulnerable system.
Affected products are:
- Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. x, 7.5.0
- NetWorker Virtual Edition 0.x, 9.1.x, 9.2.x
- Integrated Data Protection Appliance 2.0
EMC has released security fixes that address all the flaws.
(Security Affairs – Dell Data Protection Appliance, hacking)