Backups of virtual machines on some hosts could be accessed or altered by an attacker. While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell’s EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server’s file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.
The first of the vulnerabilities, designated in MITRE’s Common Vulnerabilities and Exposures (CVE) list as CVE-2017-15548, allows an attacker to gain root access to the servers. This would potentially give someone direct access to backups on the server, allowing them to retrieve images of virtual machines, backed-up databases, and other data stored within the affected systems.
The second vulnerability, CVE-2017-15549, makes it possible for an attacker to potentially upload malicious files into “any location on the server file system” without authentication. And the third, CVE-2017-15550, is a privilege escalation bug that could allow someone with low-level authenticated access to access files within the server. The attacker could do this by using a Web request crafted to take advantage of “path traversal”—moving up and down within the directory structure of the file system used by the application.
These attacks require access to the network that the servers run on, so it may not be possible in most cases to execute attacks from the Internet—at least if the backup systems run in a network partitioned from the Internet. But these vulnerabilities could create opportunities for attackers who’ve managed to get a foothold in data centers via other exploits. And, unfortunately, as security researcher Davi Ottenheimer pointed out, there are hundreds of these systems exposed to the Internet—including more than a hundred of them in Ukraine, China, and Russia.
For those familiar with the architecture of these products, the vulnerabilities may not be a surprise—EMC Avamar and the other applications use Apache Tomcat, which was patchedmultiple times last year to address critical security vulnerabilities. However, it’s not clear whether these patches were incorporated into earlier updates of the EMC and VMware products or if any of the bugs just fixed in updates of the EMC/VMware products were Tomcat related.