Vulnerabilities Found Inside Dell EMC Data Protection Products That Can Lead To 'Full Compromise'


Printer-friendly version Email this CRN article

Researchers have discovered several vulnerabilities inside Dell EMC's data protection products that allow attackers to gain full control of the systems.

Dell EMC's Avamar Server, NetWorker Virtual Edition, and Integrated Data Protection Appliance all contain a standard component – Avamar Installation Manager – which is vulnerable, according to new findings from the security technology and services firm Digital Defense.  Researchers uncovered three vulnerabilities within Dell's data protection suite.

"Combining the three identified vulnerabilities, full compromise of the affected system is possible by modifying the configuration file," said Digital Defense, in a statement.

[Related: AMD Claims 'Near-Zero Risk' To Its Processors From Meltdown, Spectre Exploits]

Attackers could obtain information stored inside the appliances such as critical databases and server data, according to the firm. Vulnerabilities include an authentication bypass bug in the software's SecurityService and two faults in its authenticated arbitrary file access in UserInputService.

Dell EMC released security fixes to address the vulnerabilities on Friday.

In a statement to CRN, Dell said it created the security fixes and had alerted customers. "With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation to address threats from vulnerabilities," said Dell.

There was also a similar problem in VMware's vSphere Data Protection backup product, which leverages Dell EMC. The product contains an authentication bypass vulnerability that allows an attacker to bypass application authentication and gain root access to the system.

VMware released a patch earlier this week detailing the issue.

Mike Cotton, vice president of research and development at Digital Defense, said in a statement that IT teams should check their data center for these products and install the patches immediately.

After the vulnerabilities were discovered, Digital Defense and Dell EMC worked together to address the vulnerabilities and find additional product versions impacted. "This is a good example of coordinated disclosure in action," said Dell.

One top executive from a solution provider – a Dell Titanium partner – said his company was reaching out to customers on Friday.

Printer-friendly version Email this CRN article