Researchers uncover flaws capable of hijacking Dell EMC’s Data Protection Suite

Researchers from Digital Defense have uncovered zero-day vulnerabilities that allow hackers to hijack systems within the Dell EMC Data Protection Suite Family products.

Released last January, Dell EMC’s suite of protection software comes in five different models, but during a recent scan of its products, Digital Defense’s Vulnerability Research Team (VRT) encountered critical vulnerabilities that enabled attackers to compromise the Dell EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance.

On Friday morning, Digital Defense reported on the three specific vulnerabilities impacting the Avamar Installation, a common component in Dell’s protection suite software. A combination of these bugs and modification of files open the door for attackers to fully compromise the system.

Dell EMC has since released security fixes to address the issues. (Link requires Dell EMC Online Support credentials).

Dell EMC responded promptly to the issues and together with VRT staff, verified the fixes for the security issues, according to Friday’s VRT blog post.

One of the vulnerabilities, CVE-2017-15548, is an authentication bypass bug in the software’s SecurityService function. A POST request, which includes a username, password and wsUrl is required for user authentication, but according to VRT’s report, the URL parameter is unspecified, allowing the Avamar server to send an authentication SOAP request. The request includes a username and password.

“An attacker doesn’t require any specific knowledge about the targeted Avamar server to generate a successful SOAP response,” explained VRT researchers. The second vulnerability, CVE-2017-15549, is an authenticated arbitrary file upload in UserInputService. Because the server is running with root privileges, any file on it can be uploaded.

Lastly, CVE-2017-15550, which is authenticated arbitrary file access in UserInputService, allows attackers to upload arbitrary files to any location with root privileges.

“All three vulnerabilities can be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service,” said VRT researchers. “The web shell can also run commands with the same privileges as the “admin” user.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Alex Coop
Alex Coop
Former Editorial Director for IT World Canada and its sister publications.

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.