Vulnerabilities Found Inside Dell EMC Data Protection Products That Can Lead To 'Full Compromise'

Researchers have discovered several vulnerabilities inside Dell EMC's data protection products that allow attackers to gain full control of the systems.

Dell EMC's Avamar Server, NetWorker Virtual Edition, and Integrated Data Protection Appliance all contain a standard component – Avamar Installation Manager – which is vulnerable, according to new findings from the security technology and services firm Digital Defense. Researchers uncovered three vulnerabilities within Dell's data protection suite.

"Combining the three identified vulnerabilities, full compromise of the affected system is possible by modifying the configuration file," said Digital Defense, in a statement.

[Related: AMD Claims 'Near-Zero Risk' To Its Processors From Meltdown, Spectre Exploits]

Attackers could obtain information stored inside the appliances such as critical databases and server data, according to the firm. Vulnerabilities include an authentication bypass bug in the software's SecurityService and two faults in its authenticated arbitrary file access in UserInputService.

Dell EMC released security fixes to address the vulnerabilities on Friday.

In a statement to CRN, Dell said it created the security fixes and had alerted customers. "With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation to address threats from vulnerabilities," said Dell.

There was also a similar problem in VMware's vSphere Data Protection backup product, which leverages Dell EMC. The product contains an authentication bypass vulnerability that allows an attacker to bypass application authentication and gain root access to the system.

VMware released a patch earlier this week detailing the issue.

Mike Cotton, vice president of research and development at Digital Defense, said in a statement that IT teams should check their data center for these products and install the patches immediately.

After the vulnerabilities were discovered, Digital Defense and Dell EMC worked together to address the vulnerabilities and find additional product versions impacted. "This is a good example of coordinated disclosure in action," said Dell.

One top executive from a solution provider – a Dell Titanium partner – said his company was reaching out to customers on Friday.

"We're reaching out to clients with the software [fix] and offering our services already," said the executive, who declined to be identified. "These things do happen to Dell because their product set is so big, but I think Dell was extremely proactive on this one … We don't expect to take a big hit financially because of this."

The Dell EMC vulnerability comes the same week as massive security flaws were found in chips from multiple vendors that have the tech industry scrambling to protect systems around the world.

The Meltdown and Spectre security flaws, discovered by security researchers last year and publicized Wednesday by media reports, are found in chips from multiple vendors, including market leader Intel. Many of Dell solutions contain Intel processors.

In a statement to CRN, Dell said its "aware of new security research describing software analysis methods related to Intel microprocessors. We are working with Intel and others in the industry to investigate and address the issue."