[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability
- To: "'fulldisclosure@xxxxxxxxxxxx'" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability
- From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
- Date: Thu, 5 Apr 2018 19:16:28 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance
Installation Manager Missing Access Control Vulnerability
Dell EMC Identifier: DSA-2018-025
CVE Identifier: CVE-2018-1217
Severity: High
Severity Rating: CVSS v3 Base Score:: 7.2 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Affected products:
Dell EMC Avamar Server 7.3.1
Dell EMC Avamar Server 7.4.1
Dell EMC Avamar Server 7.5.0
Dell EMC Integrated Data Protection Appliance 2.0
Dell EMC Integrated Data Protection Appliance 2.1
Summary:
Dell EMC Avamar Installation Manager component, within Dell EMC Avamar Server
and Integrated Data Protection Appliance, is affected by a missing access
control vulnerability.
Details:
Avamar Installation Manager is affected by a missing access control check
vulnerability which could potentially allow a remote unauthenticated attacker
to read or change the Local Download Service (LDLS) credentials. The LDLS
credentials are used to connect to Dell EMC Online Support. If the LDLS
configuration was changed to an invalid configuration, then Avamar Installation
Manager may not be able to connect to Dell EMC Online Support web site
successfully. The remote unauthenticated attacker can also read and use the
credentials to login to Dell EMC Online Support, impersonating the AVI service.
Resolution:
The following Dell EMC Avamar releases contain resolutions to this
vulnerability:
* Avamar 7.3.1 - HOTFIX 290316
* Avamar 7.4.1 - HOTFIX 291882
* Avamar 7.5.0 - HOTFIX 291881
* Customers who have Integrated Data Protection Appliance 2.0 can apply
Avamar 7.4.1 - HOTFIX 291882
* Customers who have Integrated Data Protection Appliance 2.1 can apply
Avamar 7.5.0 - HOTFIX 291881
Dell EMC recommends all customers apply these customer installable hotfixes at
the earliest opportunity.
Refer to KB Article 513978 for instructions on applying the hotfix. Please note
that applying the hotfix does not require a reboot or shutdown.
Link to remedies:
* Avamar 7.3.1 - HOTFIX 290316
https://download.emc.com/downloads/DL87396_Avamar_7.3.1_Hotfix_290316_for_Multiple_Authentication_Bypass_Security_Vulnerabilities.avp?source=OLS
* Avamar 7.4.1 - HOTFIX 291882
https://download.emc.com/downloads/DL88301_Hotfix_291882:_Dell_EMC_Avamar_7.4.1_and_Integrated_Data_Protection_Appliance_2.0_Installation_Manager_Missing_Access_Control_Vulnerability_(CVE-2018-1217).avp?source=OLS
* Avamar 7.5.0 - HOTFIX 291881
https://download.emc.com/downloads/DL88307_Hotfix_291881:_Dell_EMC_Avamar_7.5.0_Installation_Manager_Missing_Access_Control_Vulnerability_(CVE-2018-1217).avp?source=OLS
* Integrated Data Protection Appliance 2.0 - HOTFIX 291882
https://download.emc.com/downloads/DL88301_Hotfix_291882:_Dell_EMC_Avamar_7.4.1_and_Integrated_Data_Protection_Appliance_2.0_Installation_Manager_Missing_Access_Control_Vulnerability(CVE-2018-1217).avp?source=OLS
* Integrated Data Protection Appliance 2.1 - HOTFIX 291881
https://download.emc.com/downloads/DL88307_Hotfix_291881:_Dell_EMC_Avamar_7.5.0_Installation_Manager_Missing_Access_Control_Vulnerability_(CVE-2018-1217).avp?source=OLS
Credit:
Dell EMC would like to thank Kapil Khot from Qualys Vulnerability
Signature/Research Team for discovering and reporting this vulnerability.
Read and use the information in this Dell EMC Security Advisory to assist in
avoiding any situation that might arise from the problems described herein. If
you have any questions regarding this product alert, contact Dell EMC Software
Technical Support at 1-877-534-2867.
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase
solution emc218831. Dell EMC recommends all customers take into account both
the base score and any relevant temporal and environmental scores which may
impact the potential severity associated with particular security vulnerability.
Dell EMC recommends that all users determine the applicability of this
information to their individual situations and take appropriate action. The
information set forth herein is provided "as is" without warranty of any kind.
Dell EMC disclaims all warranties, either express or implied, including the
warranties of merchantability, fitness for a particular purpose, title and
non-infringement. In no event, shall Dell EMC or its suppliers, be liable for
any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if Dell EMC or its suppliers
have been advised of the possibility of such damages. Some states do not allow
the exclusion or limitation of liability for consequential or incidental
damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaxmHGAAoJEHbcu+fsE81ZRtoH/RYsP9wVgHlEUAzJ3ZNgJumu
+rXt4amwIW0x8X3bv0DI1ftIrO8sb7TDJ3c234Ax4wR1IZUHQDuIfjf1qqKgpved
Zjo/WKSK4goY7ieD4+9ORGZc9nmHsoAHO1U1o77jcf5jkSwrPIFGCXok1efLJBcE
YNQgwbd6e7kGpmWkesGMqLpMGQi3TFzxwnbuVsG6iiEU1eFw07LvpV9PONdGMbLO
OHVZ6c/Da/FU5dcDWFSFBC+XaI9DJq89mdkyvgLS8NpqfzW0RF0x3kzjEBWfev3k
0J5dSueulLUoDfBOPIrypBvjtzNVhxWvUHcv/j+ozSIhUia9JMWJ8W8rVnR8BHw=
=MhV3
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/