-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2018-001: EMC Avamar Server, NetWorker Virtual Edition and Integrated Data
Protection Appliance Multiple Security Vulnerabilities
EMC Identifier: ESA-2018-001
CVE Identifier: CVE-2017-15548, CVE-2017-15549, CVE-2017-15550
Severity Rating: See below for each CVE.
Affected products:
EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0
EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x
EMC Integrated Data Protection Appliance 2.0
Summary:
EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection
Appliance contain a common component, Avamar(r) Installation Manager (AVI),
that is vulnerable to multiple security vulnerabilities that could be exploited
by malicious users to compromise the affected systems.
Details:
Authentication bypass vulnerability (CVE-2017-15548)
A remote unauthenticated malicious user can potentially bypass application
authentication and gain unauthorized root access to the affected systems.
CVSSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Arbitrary file upload vulnerability (CVE-2017-15549)
A remote authenticated malicious user with low privileges could potentially
upload arbitrary maliciously crafted files in any location on the server file
system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Path traversal vulnerability (CVE-2017-15550)
A remote authenticated malicious user with low privileges could access
arbitrary files on the server file system in the context of the running
vulnerable application.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Resolution:
EMC recommends all customers install the patches below for their respective
product versions at the earliest opportunity:
EMC Avamar Server version 7.1.2 - HOTFIX 290550
EMC Avamar Server version 7.2.1 - HOTFIX 290025
EMC Avamar Server version 7.3.1 - HOTFIX 290316
EMC Avamar Server version 7.4.1 - HOTFIX 289959
EMC Avamar Server version 7.5.0 - HOTFIX 289958
EMC NetWorker Virtual Edition version 9.0.x, 9.1.x, 9.2.x - HOTFIX 290317
EMC Integrated Data Protection Appliance version 2.x - HOTFIX 581676
Workaround:
Disable Avamar Installation Manager (AVI).
Link To Remedies:
Registered EMC Online Support customers can download the hotfix from the links
below:
EMC Avamar:
EMC Avamar Server version 7.1.2 - HOTFIX 290550
EMC Avamar Server version 7.2.1 - HOTFIX 290025
EMC Avamar Server version 7.3.1 - HOTFIX 290316
EMC Avamar Server version 7.4.1 - HOTFIX 289959
EMC Avamar Server version 7.5.0 - HOTFIX 289958
For Avamar hotfix installation instructions, refer to KB article 513978: How to
install Avamar hotfix using installation manager
EMC NetWorker:
EMC NetWorker Virtual Edition 9.0.x, 9.1.x, 9.2.x - HOTFIX 290317
See the corresponding NetWorker version Cumulative hotfixes document available
at https://support.emc.com/downloads/1095_NetWorker for download details.
For hotfix installation instructions, refer to KB article 514377: NetWorker
Virtual Edition (NVE): How to install a hotfix
EMC Integrated Data Protection Appliance:
Customers should contact Integrated Data Protection Appliance to receive the
hotfix 581676
Credit:
EMC would like to thank Michael Cramer, Vulnerability Research Team, Digital
Defense Inc for reporting these issues.
[The following is standard text included in all security advisories. Please do
not change or delete.]
Read and use the information in this EMC Security Advisory to assist in
avoiding any situation that might arise from the problems described herein. If
you have any questions regarding this product alert, contact EMC Software
Technical Support at 1-877-534-2867.
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution
emc218831. EMC recommends all customers take into account both the base score
and any relevant temporal and environmental scores which may impact the
potential severity associated with particular security vulnerability.
EMC recommends that all users determine the applicability of this information
to their individual situations and take appropriate action. The information set
forth herein is provided "as is" without warranty of any kind. EMC disclaims
all warranties, either express or implied, including the warranties of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event, shall EMC or its suppliers, be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages, even if EMC or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages, so the
foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaTjZ4AAoJEHbcu+fsE81ZlYAH/2EoFh9d93K3oy54sgLisDuR
sNUPrUNxXSRsnFVUubZ/AF7eJcNAEUwIdcoameMK61iwMx1B8C4hEKFBdHf/mYEn
cy9dBqlr/7dbsEyH3PP4EoK9CT3nPkq4QnlQW6NyRGyX8SEpX9x7WtL7YQDmKtVw
xh1tj4ayqfzd7RimE2yDRZl7qqFd3FeC3G5q2HrD2Inoc5w44m01KQs33/0wUiQM
EwHk0+zEVGpR6ed8a9bvQ+ciw1lX2fW0Q2Pw6MUoMowDa5JUaGSuxe2BpwsI9RT+
euuvgHPCGti6n7nQTuqntYSLhsED8egjPC8xji/tbd+SW6F2UB3Esaiavxbagpo=
=XXmy
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
