CVE-2018-1217
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
Avamar Installation Manager en Dell EMC Avamar Server 7.3.1, 7.4.1 y 7.5.0; y Dell EMC Integrated Data Protection Appliance 2.0 y 2.1 se ha visto afectado por una vulnerabilidad de falta de control de acceso que podría permitir que un atacante remoto no autenticado lea o cambie las credenciales LDLS (Local Download Service). Las credenciales LDLS se emplean para conectarse a Dell EMC Online Support. Si la configuración LDLS se cambiase a una configuración inválida, Avamar Installation Manager podría no ser capaz de conectarse al sitio web Dell EMC Online Support con éxito. El atacante remoto no autenticado también puede leer y emplear los credenciales para iniciar sesión en Dell EMC Online Support, haciéndose pasar por las acciones del servicio AVI mediante el uso de esas credenciales.
DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-06 CVE Reserved
- 2018-04-06 CVE Published
- 2023-08-31 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2018/Apr/14 | Mailing List |
|
| http://www.securitytracker.com/id/1040641 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/44441 | 2024-09-16 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Dell Search vendor "Dell" | Emc Avamar Search vendor "Dell" for product "Emc Avamar" | 7.3.1 Search vendor "Dell" for product "Emc Avamar" and version "7.3.1" | - |
Affected
| ||||||
| Dell Search vendor "Dell" | Emc Avamar Search vendor "Dell" for product "Emc Avamar" | 7.4.1 Search vendor "Dell" for product "Emc Avamar" and version "7.4.1" | - |
Affected
| ||||||
| Dell Search vendor "Dell" | Emc Avamar Search vendor "Dell" for product "Emc Avamar" | 7.5.0 Search vendor "Dell" for product "Emc Avamar" and version "7.5.0" | - |
Affected
| ||||||
| Dell Search vendor "Dell" | Emc Integrated Data Protection Appliance Search vendor "Dell" for product "Emc Integrated Data Protection Appliance" | 2.0 Search vendor "Dell" for product "Emc Integrated Data Protection Appliance" and version "2.0" | - |
Affected
| ||||||
| Dell Search vendor "Dell" | Emc Integrated Data Protection Appliance Search vendor "Dell" for product "Emc Integrated Data Protection Appliance" | 2.1 Search vendor "Dell" for product "Emc Integrated Data Protection Appliance" and version "2.1" | - |
Affected
| ||||||