Security researchers have discovered a set of zero-day vulnerabilities within the Dell EMC Data Protection Suite Family products which allow attackers to fully hijack systems.
However, the company’s Vulnerability Research Team (VRT) stumbled across a set of severe vulnerabilities which permitted attackers to compromise products including Dell EMC Avamar Server, NetWorker Virtual Edition, and Integrated Data Protection Appliance.
On Friday, the company disclosed three vulnerabilities which impact Avamar Installation Manager (AVI), a common component used in the suite.
By combining the bugs and modifying configuration files, attackers can fully compromise vulnerable systems.
The first vulnerability, CVE-2017-15548, is an authentication bypass bug in the software’s SecurityService. User authentication is performed via a POST request which includes a username, password, and wsUrl parameter. However, the URL parameter can be arbitrary and attackers are able to generate valid SOAP XML-based messaging protocol requests to secure valid session IDs.
The flaw can be used by threat actors to “remotely target the server and trick the authentication service into giving them administrator rights,” Mike Cotton, Vice President of Research & Development at Digital Defense told ZDNet.
The second vulnerability, CVE-2017-15549, is an authenticated arbitrary file access issue in UserInputService, allows authenticated users to download arbitrary files with root privileges.
The problem occurs as the getFileContents method of the UserInputService class doesn’t perform any validation of the user-supplied filename parameter before retrieving files from an Avamar server.
As the server runs as root, any file can be downloaded.
The third bug, CVE-2017-15550, allows authenticated users to upload arbitrary files to arbitrary locations in the UserInputService with root privileges. The saveFileContents method is at fault due to string parameter splits which allow the arbitrary writes.
When combined with the two other vulnerabilities, this can lead to full compromise of appliances.
“All three vulnerabilities can be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service,” the researchers say. “The web shell can also run commands with the same privileges as the “admin” user.”
Digital Defense reported the vulnerabilities to Dell together with a proof-of-concept (PoC) example and according to Cotton, was “extremely responsive” in tackling the findings.