Researchers uncover flaws capable of hijacking Dell EMC’s Data Protection Suite

Researchers from Digital Defense have uncovered zero-day vulnerabilities that allow hackers to hijack systems within the Dell EMC Data Protection Suite Family products.

Released last January, Dell EMC’s suite of protection software comes in five different models, but during a recent scan of its products, Digital Defense’s Vulnerability Research Team (VRT) encountered critical vulnerabilities that enabled attackers to compromise the Dell EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance.

On Friday morning, Digital Defense reported on the three specific vulnerabilities impacting the Avamar Installation, a common component in Dell’s protection suite software. A combination of these bugs and modification of files open the door for attackers to fully compromise the system.

Dell EMC has since released security fixes to address the issues. (Link requires Dell EMC Online Support credentials).

Dell EMC responded promptly to the issues and together with VRT staff, verified the fixes for the security issues, according to Friday’s VRT blog post.

One of the vulnerabilities, CVE-2017-15548, is an authentication bypass bug in the software’s SecurityService function. A POST request, which includes a username, password and wsUrl is required for user authentication, but according to VRT’s report, the URL parameter is unspecified, allowing the Avamar server to send an authentication SOAP request. The request includes a username and password.

“An attacker doesn’t require any specific knowledge about the targeted Avamar server to generate a successful SOAP response,” explained VRT researchers. The second vulnerability, CVE-2017-15549, is an authenticated arbitrary file upload in UserInputService. Because the server is running with root privileges, any file on it can be uploaded.

Lastly, CVE-2017-15550, which is authenticated arbitrary file access in UserInputService, allows attackers to upload arbitrary files to any location with root privileges.

“All three vulnerabilities can be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service,” said VRT researchers. “The web shell can also run commands with the same privileges as the “admin” user.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Alex Coop
Alex Coop
Former Editorial Director for IT World Canada and its sister publications.

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now