Lucene search

DellCVE-2018-1217

HistoryApr 09, 2018 - 8:29 p.m.

CVE-2018-1217

2018-04-0920:29:00

CWE-862

dell

web.nvd.nist.gov

avamar

dell emc

installation manager

cve-2018-1217

access control

vulnerability

data protection

appliance

online support

security issue

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.794

Percentile

98.3%

JSON

Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.

Affected configurations

Nvd

Vulners

Node

dellemc_avamarMatch7.3.1

dellemc_avamarMatch7.4.1

dellemc_avamarMatch7.5.0

dellemc_integrated_data_protection_applianceMatch2.0

dellemc_integrated_data_protection_applianceMatch2.1

VendorProductVersionCPE
dellemc_avamar7.3.1cpe:2.3:a:dell:emc_avamar:7.3.1:*:*:*:*:*:*:*
dellemc_avamar7.4.1cpe:2.3:a:dell:emc_avamar:7.4.1:*:*:*:*:*:*:*
dellemc_avamar7.5.0cpe:2.3:a:dell:emc_avamar:7.5.0:*:*:*:*:*:*:*
dellemc_integrated_data_protection_appliance2.0cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.0:*:*:*:*:*:*:*
dellemc_integrated_data_protection_appliance2.1cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dell	emc_avamar	7.3.1	cpe:2.3:a:dell:emc_avamar:7.3.1:::::::*
dell	emc_avamar	7.4.1	cpe:2.3:a:dell:emc_avamar:7.4.1:::::::*
dell	emc_avamar	7.5.0	cpe:2.3:a:dell:emc_avamar:7.5.0:::::::*
dell	emc_integrated_data_protection_appliance	2.0	cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.0:::::::*
dell	emc_integrated_data_protection_appliance	2.1	cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.1:::::::*

CNA Affected

[
  {
    "product": "Avamar, Integrated Data Protection Appliance",
    "vendor": "Dell EMC",
    "versions": [
      {
        "status": "affected",
        "version": "Avamar Server versions 7.3.1, 7.4.1, 7.5.0"
      },
      {
        "status": "affected",
        "version": "Integrated Data Protection Appliance Versions 2.0, 2.1"
      }
    ]
  }
]

References

seclists.org/fulldisclosure/2018/Apr/14

www.securitytracker.com/id/1040641

www.exploit-db.com/exploits/44441/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.794

Percentile

98.3%

JSON

Related for CVE-2018-1217