A critical vulnerability has been found in Dell EMC storage appliances, and a patch was released today, security researchers announced. In addition, a related problem in the VMware vSphere Data Protection backup product, which uses Dell EMC, has already been patched.
Company IT teams should check their data center environments for these products and install the patches, said Mike Cotton, VP of research and development at Digital Defense.
If the product is an older, unsupported version and updating is not an option, he recommends that users take other mitigation steps, such as isolating the backup devices on secured networks.
According to Dell EMC, however, that should not be necessary.
"The affected versions are all listed in the advisory—all other versions are unaffected," said a company spokesperson.
There might be other reasons a company isn’t able to install a patch, such as compliance or compatibility issues. Admins might also put it off until they have the time to deal with it. But that would be a mistake.
Without the fix, attackers are able to log in to the backup devices as administrators without having to know any user names or passwords, said Cotton.
The problem is that Dell EMC allows people to specify their authentication server when they try to log in -- and that server could be one owned by the attacker.
This is a separate vulnerability from the chip vulnerability affecting Intel, AMD, and ARM microprocessors that has been in the news this week. "They're just two completely separate flaws that happened to release at the same time," Cotton said.
According to him, accessing the Dell EMC appliance allows attackers to get at the information stored in critical databases and servers without having to break into those servers directly.
"It's a pretty important security vulnerability," he said. "Because it's a backup appliance, it gives you the keys to the kingdom. A lot of the primary database servers and other important servers have a lot of security software and controls surrounding them. The attacker can sidestep around the security controls and get the data on the critical systems via the backup devices."
In particular, the vulnerability is in the Avamar Installation Manager, which is present in the Dell EMC Avamar Server, NetWorker Virtual Edition, and Integrated Data Protection Appliance.
The security fixes can be obtained through security advisory ESA-2018-001.
Digital Defense routinely looks for vulnerability when performing vulnerability scans for customers, Cotton said.
"Any time we encounter a major component that people use a lot, we look under the covers," he said. "On the Dell EMC backup appliance, we tested multiple versions. The 7.4 versions and the 7.5 version are both vulnerable."
According to Digital Defense, it immediately reports any zero day vulnerabilities found to the vendors, and Dell EMC was "prompt and diligent" in addressing the problem.
"This is a good example of coordinated disclosure in action," Dell EMC said in a statement. "Dell EMC is aware of the identified vulnerabilities; we’ve prepared security fixes to address them and alerted our customers."
According to Gartner, Dell EMC currently has 20.8 percent of the server market, second only to HPE's 21.3 percent.
And Dell has been gaining on HPE recently, with Garner showing 38 percent growth for the vendor compared to last year.