BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Users of Dell EMC data protection are being urged to quickly patch three security flaws that could hijack Avamar-based products.
The vulnerabilities revolve around Avamar Installation Manager, a common component in Dell EMC Avamar Server, NetWorker Virtual Edition and Dell EMc’s Integrated Data Protection Appliance (IDPA).
The Dell EMC data protection vulnerabilities were discovered by Digital Defense Inc. (DDI), a San Antonio, Texas, firm that performs vulnerability assessments and penetration tests on behalf of customers in financial services and other regulated industries.
If used in combination, DDI said the zero-day exploits could allow unauthorized users to modify the configuration file to gain root access via Dell EMC backup copies. Security fixes are available for download from Dell EMC to credentialed enterprise customers.
Dell EMC Avamar data protection also powers VMware vSphere Data Protection. VMware has issued a security advisory.
The vulnerability considered most serious is an authentication bypass vector. This mechanism potentially allow a hacker to receive authentication via a basic POST request to the Avamar server. No specific knowledge is required about the targeted Dell EMC backup Avamar server, such as user credentials and passwords, to generate a session ID.
Other identified vulnerabilities include bugs that allow authenticated users to download or upload arbitrary files with root access. Used in combination, the three Avamar-related security holes could fully compromise Dell EMC data protection systems.
DDI alerted Dell EMC to the findings late last year. The two vendors do not have a contractual relationship. Mike Cotton, a DDI senior vice president of engineering at Digital Defense, said DDI downloaded a virtual instance of Avamar Virtual Edition 7.4 as part of routine bench testing.
“We started looking under the covers for any vectors we could use against the remote appliance,” Cotton said.
Dell EMC notified customers of the software fixes on Friday. Spokesman Kevin Kempskie said no Dell EMC data protection systems are known to have been affected.
The Avamar product was acquired by EMC in 2006 primarily for its data deduplication technology. Dell EMC NetWorker Virtual Edition is a software platform that backs up data on multiple operating systems to a variety of targets. Dell EMC IDPA marked the vendor’s first integrated disk-based hardware appliance, a departure from selling its backup software on DataDomain appliances.