Avamar Zero-Day

By Fortra's Digital Defense

Today Digital Defense is disclosing three vulnerabilities identified on Dell EMC Data Protection Suite Family products discovered by the Digital Defense Vulnerability Research Team (VRT). VRT would like to commend Dell EMC for their prompt handling and diligent attention to the issues and their work with Digital Defense engineering staff to understand, resolve and verify the fixes for these security issues.

Dell EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance contain a common component, Avamar Installation Manager (AVI), which is vulnerable to the disclosed vulnerabilities. Dell EMC has released security fixes to address these vulnerabilities. The security fixes can be obtained through security advisory ESA-2018-001(requires Dell EMC Online Support credentials).

For more details on Dell EMC Vulnerability Response Policy see https://www.emc.com/products/security/product-security-response-center.htm .

Please contact Dell EMC technical support representative for any assistance or further information.

Clients who currently use Digital Defense’s Frontline Vulnerability Manager™ platform can sweep for the presence of this issue by performing a full vulnerability assessment scan.

Details of the vulnerabilities are as follows:

Vendor: Dell EMC

Products :

  • Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. x, 7.5.0
  • NetWorker Virtual Edition 0.x, 9.1.x, 9.2.x
  • Integrated Data Protection Appliance 2.0

Link: https://www.dellemc.com/en-us/data-protection/data-protection-suite/index.htm



DDI-VRT-2017- 06: Authentication Bypass in SecurityService
DDI-VRT-2017-07: Authenticated Arbitrary File Access in UserInputService
DDI-VRT-2017-08: Authenticated File Upload in UserInputService


While generally not Internet accessible due to the nature of the application, a number of instances were found publicly available.


Vulnerability: Authentication Bypass in SecurityService

CVE ID: CVE-2017-15548

Impact: The authentication bypass can be combined with the other two vulnerabilities to fully compromise the virtual appliance.

Details: User authentication is performed via a POST that includes username, password and wsURL parameters. The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to including provided username and password. If the Avamar server receives a successful SOAP response it will return a valid session ID. An attacker doesn’t require any specific knowledge about the targeted Avamar server to generate a successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.

All three vulnerabilities can be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service. The web shell can also run commands with the same privileges as the “admin” user.


Vulnerability: Authenticated Arbitrary File Access in UserInputService

CVE ID: CVE-2017-15550

Impact: Authenticated users can download arbitrary files with root privileges. This can be combined

with the other two vulnerabilities to fully compromise the virtual appliance.

Details: The getFileContents method of the UserInputService class doesn’t perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability.


Vulnerability: Authenticated File Upload in UserInputService

CVE ID: CVE-2017-15549

Impact: Authenticated users can upload arbitrary files to arbitrary locations with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.

Details: The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the “\r” character. The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.


Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owner

Share This