Three critical flaws in storage products from Dell EMC and VMware have been discovered by security researchers during a routine software check, forcing the pair to release patches to rectify the problem.

The affected products are Dell EMC’s Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance, as they all contain the vulnerable Avamar Installation Manager (AVI).

The discovery emerged on the same week as a major security flaw affecting almost all of the Intel’s processors produced in the past decade; however, this is purely coincidental and the two incidents are not linked.

Dell EMC logo
– DCD

Unlimited Access

The first vulnerability, identified as the CVE-2017-15548 by the National Vulnerability Database, allows a potential attacker to log into the storage device as administrator without going through any authentication processes, since it permits the use of any authentication server, including one that is compromised.

The second, CVE-2017-15549, lets an attacker download any file contained on the storage device with root privileges.

And finally, CVE-2017-15550 allows for files to be uploaded to random locations in the UserInputService with root privileges.

Digital Defense research and development VP Mike Cotton advised data center IT professionals to patch relevant products, recommending that they take mitigation steps such as isolating devices if they are too old to support the patches. 

Fixes for the identified products can be obtained via the security advisory ESA-2018-001, requiring only Dell EMC Online Support Credentials.