Published: January 9th, 2018

Researchers from Digital Defense have uncovered zero-day vulnerabilities that allow hackers to hijack systems within the Dell EMC Data Protection Suite Family products.

Released last January, Dell EMC’s suite of protection software comes in five different models, but during a recent scan of its products, Digital Defense’s Vulnerability Research Team (VRT) encountered critical vulnerabilities that enabled attackers to compromise the Dell EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance.

On Friday morning, Digital Defense reported on the three specific vulnerabilities impacting the Avamar Installation, a common component in Dell’s protection suite software. A combination of these bugs and modification of files open the door for attackers to fully compromise the system.

Dell EMC has since released security fixes to address the issues. (Link requires Dell EMC Online Support credentials).

Dell EMC responded promptly to the issues and together with VRT staff, verified the fixes for the security issues, according to Friday’s VRT blog post.

One of the vulnerabilities, CVE-2017-15548, is an authentication bypass bug in the software’s SecurityService function. A POST request, which includes a username, password and wsUrl is required for user authentication, but according to VRT’s report, the URL parameter is unspecified, allowing the Avamar server to send an authentication SOAP request. The request includes a username and password.

“An attacker doesn’t require any specific knowledge about the targeted Avamar server to generate a successful SOAP response,” explained VRT researchers. The second vulnerability, CVE-2017-15549, is an authenticated arbitrary file upload in UserInputService. Because the server is running with root privileges, any file on it can be uploaded.

Lastly, CVE-2017-15550, which is authenticated arbitrary file access in UserInputService, allows attackers to upload arbitrary files to any location with root privileges.

“All three vulnerabilities can be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service,” said VRT researchers. “The web shell can also run commands with the same privileges as the “admin” user.”