Three vulnerabilities have been discovered in the Avamar Installation Manager (AVI) common to a number of Dell EMC virtual appliances. Exploitation of these vulnerabilities may allow an unauthorised local attacker to gain root access to a system.
The first vulnerability exploits the “getFileContents” method of the “UserInputService” class. This method does not perform any validation of filename parameters supplied by a user before retrieving the requested file. Additionally, the web server serving these request runs as root, meaning any file can be retrieved.
The second vulnerability allows a user to upload files to an arbitrary location. The “saveFileContents” method of the “UserInputService” accepts a single string and splits it on a specific character. The first half of the string describes the filepath, with the second describing the data to be written.
The final vulnerability can be combined with the first two to fully compromise a system. Authentication is performed via a POST including username, password and wsURL parameters, an arbitrary URL used by the server to send a Simple Object Access Protocol (SOAP) request. If this SOAP request is successful a valid session ID is returned, a properly formed request will work across multiple servers.
Dell’s security advisory is here ESA-2018-001, but requires Dell EMC Online Support credentials.
- Dell EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0
- Dell EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x
- Dell EMC Integrated Data Protection Appliance (IDPA) 2.0
Dell EMC have confirmed all vulnerabilities have been fixed through advisory ESA-2018-001.
EMC recommends all customers install the patches below for their respective product versions at the earliest opportunity:
EMC Avamar Server version 7.1.2 – HOTFIX 290550
EMC Avamar Server version 7.2.1 – HOTFIX 290025
EMC Avamar Server version 7.3.1 – HOTFIX 290316
EMC Avamar Server version 7.4.1 – HOTFIX 289959
EMC Avamar Server version 7.5.0 – HOTFIX 289958
EMC NetWorker Virtual Edition version 9.0.x, 9.1.x, 9.2.x – HOTFIX 290317
EMC Integrated Data Protection Appliance version 2.x – HOTFIX 581676
Disable Avamar Installation Manager (AVI).