cnvd - cnvd-2018-09576

cnvd-2018-09576

Vulnerability from cnvd

Title: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager不正确访问控制漏洞

Description:

Dell EMC Avamar Server和EMC Integrated Data Protection Appliance都是美国戴尔（Dell）公司的产品。Dell EMC Avamar Server是一套用于服务器的完全虚拟化的备份和恢复软件。EMC Integrated Data Protection Appliance是一套基于磁盘的备份和恢复解决方案。Avamar Installation Manager是其中的一个Avamar安装管理器。

Dell EMC Avamar Server和EMC Integrated Data Protection Appliance中的Avamar Installation Manager存在安全漏洞。远程攻击者可利用该漏洞读取或更改Local Download Service (LDLS)凭证，或使用该凭证登录Dell EMC Online Support。

Severity: 中

Patch Name: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager不正确访问控制漏洞的补丁

Patch Description:

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.dellemc.com

Reference: https://www.exploit-db.com/exploits/44441/

Impacted products

Name
['Dell EMC Avamar Server 7.3.1', 'Dell EMC Avamar Server 7.4.1', 'Dell EMC Avamar Server 7.5.0', 'Dell EMC Integrated Data Protection Appliance 2.0', 'Dell EMC Integrated Data Protection Appliance 2.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-1217",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1217"
    }
  },
  "description": "Dell EMC Avamar Server\u548cEMC Integrated Data Protection Appliance\u90fd\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Dell EMC Avamar Server\u662f\u4e00\u5957\u7528\u4e8e\u670d\u52a1\u5668\u7684\u5b8c\u5168\u865a\u62df\u5316\u7684\u5907\u4efd\u548c\u6062\u590d\u8f6f\u4ef6\u3002EMC Integrated Data Protection Appliance\u662f\u4e00\u5957\u57fa\u4e8e\u78c1\u76d8\u7684\u5907\u4efd\u548c\u6062\u590d\u89e3\u51b3\u65b9\u6848\u3002Avamar Installation Manager\u662f\u5176\u4e2d\u7684\u4e00\u4e2aAvamar\u5b89\u88c5\u7ba1\u7406\u5668\u3002\r\n\r\nDell EMC Avamar Server\u548cEMC Integrated Data Protection Appliance\u4e2d\u7684Avamar Installation Manager\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u6216\u66f4\u6539Local Download Service (LDLS)\u51ed\u8bc1\uff0c\u6216\u4f7f\u7528\u8be5\u51ed\u8bc1\u767b\u5f55Dell EMC Online Support\u3002",
  "discovererName": "SlidingWindow",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.dellemc.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-09576",
  "openTime": "2018-05-16",
  "patchDescription": "Dell EMC Avamar Server\u548cEMC Integrated Data Protection Appliance\u90fd\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Dell EMC Avamar Server\u662f\u4e00\u5957\u7528\u4e8e\u670d\u52a1\u5668\u7684\u5b8c\u5168\u865a\u62df\u5316\u7684\u5907\u4efd\u548c\u6062\u590d\u8f6f\u4ef6\u3002EMC Integrated Data Protection Appliance\u662f\u4e00\u5957\u57fa\u4e8e\u78c1\u76d8\u7684\u5907\u4efd\u548c\u6062\u590d\u89e3\u51b3\u65b9\u6848\u3002Avamar Installation Manager\u662f\u5176\u4e2d\u7684\u4e00\u4e2aAvamar\u5b89\u88c5\u7ba1\u7406\u5668\u3002\r\n\r\nDell EMC Avamar Server\u548cEMC Integrated Data Protection Appliance\u4e2d\u7684Avamar Installation Manager\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u6216\u66f4\u6539Local Download Service (LDLS)\u51ed\u8bc1\uff0c\u6216\u4f7f\u7528\u8be5\u51ed\u8bc1\u767b\u5f55Dell EMC Online Support\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager\u4e0d\u6b63\u786e\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Dell EMC Avamar Server 7.3.1",
      "Dell EMC Avamar Server 7.4.1",
      "Dell EMC Avamar Server 7.5.0",
      "Dell EMC Integrated Data Protection Appliance 2.0",
      "Dell EMC Integrated Data Protection Appliance 2.1"
    ]
  },
  "referenceLink": "https://www.exploit-db.com/exploits/44441/",
  "serverity": "\u4e2d",
  "submitTime": "2018-04-11",
  "title": "Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager\u4e0d\u6b63\u786e\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e"
}

CVE-2018-1217 (GCVE-0-2018-1217)

Vulnerability from cvelistv5

Published

2018-04-09 20:00

Modified

2024-09-16 19:47

Severity ?

CWE

Missing Access Control Vulnerability

Summary

Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.

References

▼	URL	Tags
	https://www.exploit-db.com/exploits/44441/	exploit, x_refsource_EXPLOIT-DB
	http://www.securitytracker.com/id/1040641	vdb-entry, x_refsource_SECTRACK
	http://seclists.org/fulldisclosure/2018/Apr/14	mailing-list, x_refsource_FULLDISC

Impacted products

	Vendor	Product	Version
	Dell EMC	Avamar, Integrated Data Protection Appliance	Version: Avamar Server versions 7.3.1, 7.4.1, 7.5.0 Version: Integrated Data Protection Appliance Versions 2.0, 2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:51:49.069Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "44441",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/44441/"
          },
          {
            "name": "1040641",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040641"
          },
          {
            "name": "20180405 DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/Apr/14"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Avamar, Integrated Data Protection Appliance",
          "vendor": "Dell EMC",
          "versions": [
            {
              "status": "affected",
              "version": "Avamar Server versions 7.3.1, 7.4.1, 7.5.0"
            },
            {
              "status": "affected",
              "version": "Integrated Data Protection Appliance Versions 2.0, 2.1"
            }
          ]
        }
      ],
      "datePublic": "2018-04-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Missing Access Control Vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-12T09:57:02",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "44441",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/44441/"
        },
        {
          "name": "1040641",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040641"
        },
        {
          "name": "20180405 DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/Apr/14"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "DATE_PUBLIC": "2018-04-05T00:00:00",
          "ID": "CVE-2018-1217",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Avamar, Integrated Data Protection Appliance",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Avamar Server versions 7.3.1, 7.4.1, 7.5.0"
                          },
                          {
                            "version_value": "Integrated Data Protection Appliance Versions 2.0, 2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Dell EMC"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing Access Control Vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "44441",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/44441/"
            },
            {
              "name": "1040641",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040641"
            },
            {
              "name": "20180405 DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/Apr/14"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2018-1217",
    "datePublished": "2018-04-09T20:00:00Z",
    "dateReserved": "2017-12-06T00:00:00",
    "dateUpdated": "2024-09-16T19:47:17.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted