-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2018-001: EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance Multiple Security Vulnerabilities

EMC Identifier:  ESA-2018-001

CVE Identifier: CVE-2017-15548, CVE-2017-15549, CVE-2017-15550
 
Severity Rating: See below for each CVE.
  
Affected products: 
EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0
EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x
EMC Integrated Data Protection Appliance 2.0
 
Summary:
EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance contain a common component, Avamar(r) Installation Manager (AVI), that is vulnerable to multiple security vulnerabilities that could be exploited by malicious users to compromise the affected systems.
 
Details:    
Authentication bypass vulnerability (CVE-2017-15548)
A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.
CVSSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
 
Arbitrary file upload vulnerability (CVE-2017-15549)
A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
 
Path traversal vulnerability (CVE-2017-15550)
A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Resolution:    
EMC recommends all customers install the patches below for their respective product versions at the earliest opportunity:

EMC Avamar Server version 7.1.2 - HOTFIX 290550
EMC Avamar Server version 7.2.1 - HOTFIX 290025      
EMC Avamar Server version 7.3.1 - HOTFIX 290316
EMC Avamar Server version 7.4.1 - HOTFIX 289959
EMC Avamar Server version 7.5.0 - HOTFIX 289958
EMC NetWorker Virtual Edition version 9.0.x, 9.1.x, 9.2.x - HOTFIX 290317
EMC Integrated Data Protection Appliance version 2.x - HOTFIX 581676
 
Workaround:
Disable Avamar Installation Manager (AVI).

Link To Remedies:    
Registered EMC Online Support customers can download the hotfix from the links below: 

EMC Avamar:
EMC Avamar Server version 7.1.2 - HOTFIX 290550
EMC Avamar Server version 7.2.1 - HOTFIX 290025
EMC Avamar Server version 7.3.1 - HOTFIX 290316
EMC Avamar Server version 7.4.1 - HOTFIX 289959
EMC Avamar Server version 7.5.0 - HOTFIX 289958
For Avamar hotfix installation instructions, refer to KB article 513978: How to install Avamar hotfix using installation manager

EMC NetWorker:
EMC NetWorker Virtual Edition 9.0.x, 9.1.x, 9.2.x - HOTFIX 290317
See the corresponding NetWorker version Cumulative hotfixes document available at https://support.emc.com/downloads/1095_NetWorker for download details.
For hotfix installation instructions, refer to KB article 514377: NetWorker Virtual Edition (NVE): How to install a hotfix

EMC Integrated Data Protection Appliance:
Customers should contact Integrated Data Protection Appliance to receive the hotfix 581676

Credit:    
EMC would like to thank Michael Cramer, Vulnerability Research Team, Digital Defense Inc for reporting these issues.

[The following is standard text included in all security advisories.  Please do not change or delete.]

Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaTjZ4AAoJEHbcu+fsE81ZlYAH/2EoFh9d93K3oy54sgLisDuR
sNUPrUNxXSRsnFVUubZ/AF7eJcNAEUwIdcoameMK61iwMx1B8C4hEKFBdHf/mYEn
cy9dBqlr/7dbsEyH3PP4EoK9CT3nPkq4QnlQW6NyRGyX8SEpX9x7WtL7YQDmKtVw
xh1tj4ayqfzd7RimE2yDRZl7qqFd3FeC3G5q2HrD2Inoc5w44m01KQs33/0wUiQM
EwHk0+zEVGpR6ed8a9bvQ+ciw1lX2fW0Q2Pw6MUoMowDa5JUaGSuxe2BpwsI9RT+
euuvgHPCGti6n7nQTuqntYSLhsED8egjPC8xji/tbd+SW6F2UB3Esaiavxbagpo=
=XXmy
-----END PGP SIGNATURE-----