Three Vulnerabilities – Dell Avamar Zero-Day

Three vulnerabilities have been discovered in the Avamar Installation Manager (AVI) common to a number of Dell EMC virtual appliances. Exploitation of these vulnerabilities may allow an unauthorised local attacker to gain root access to a system.

The first vulnerability exploits the “getFileContents” method of the “UserInputService” class. This method does not perform any validation of filename parameters supplied by a user before retrieving the requested file. Additionally, the web server serving these request runs as root, meaning any file can be retrieved.

The second vulnerability allows a user to upload files to an arbitrary location. The “saveFileContents” method of the “UserInputService” accepts a single string and splits it on a specific character. The first half of the string describes the filepath, with the second describing the data to be written.

The final vulnerability can be combined with the first two to fully compromise a system. Authentication is performed via a POST including username, password and wsURL parameters, an arbitrary URL used by the server to send a Simple Object Access Protocol (SOAP) request. If this SOAP request is successful a valid session ID is returned, a properly formed request will work across multiple servers.

Dell’s security advisory is here ESA-2018-001, but requires Dell EMC Online Support credentials.

Affected Platforms

  • Dell EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0
  • Dell EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x
  • Dell EMC Integrated Data Protection Appliance (IDPA) 2.0

Resolution

Dell EMC have confirmed all vulnerabilities have been fixed through advisory ESA-2018-001.
EMC recommends all customers install the patches below for their respective product versions at the earliest opportunity:

EMC Avamar Server version 7.1.2 – HOTFIX 290550
EMC Avamar Server version 7.2.1 – HOTFIX 290025
EMC Avamar Server version 7.3.1 – HOTFIX 290316
EMC Avamar Server version 7.4.1 – HOTFIX 289959
EMC Avamar Server version 7.5.0 – HOTFIX 289958
EMC NetWorker Virtual Edition version 9.0.x, 9.1.x, 9.2.x – HOTFIX 290317
EMC Integrated Data Protection Appliance version 2.x – HOTFIX 581676

Workaround

Disable Avamar Installation Manager (AVI).



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/systemte/public_html/wp-includes/functions.php on line 4339