Quest DR Series Disk Backup Software 4.0.3 Code Execution Vulnerability

Quest DR Series Disk Backup Multiple Vulnerabilities

1. *Advisory Information*

Title: Quest DR Series Disk Backup Multiple Vulnerabilities
Advisory ID: CORE-2018-0002
Advisory URL:
http://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities
Date published: 2018-05-31
Date of last update: 2018-05-22
Vendors contacted: Quest Software Inc.
Release mode: Forced release

2. *Vulnerability Information*

Class: Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Execution with Unnecessary Privileges [CWE-250], Execution with
Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges
[CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with
Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges
[CWE-250]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-11143, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146,
CVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150,
CVE-2018-11151,
CVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155,
CVE-2018-11156,
CVE-2018-11157, CVE-2018-11158, CVE-2018-11159, CVE-2018-11160,
CVE-2018-11161,
CVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165,
CVE-2018-11166,
CVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170,
CVE-2018-11171,
CVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175,
CVE-2018-11176,
CVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180,
CVE-2018-11181,
CVE-2018-11182, CVE-2018-11183, CVE-2018-11184, CVE-2018-11185,
CVE-2018-11186,
CVE-2018-11187, CVE-2018-11188, CVE-2018-11189, CVE-2018-11190,
CVE-2018-11191,
CVE-2018-11192, CVE-2018-11193, CVE-2018-11194

3. *Vulnerability Description*

Quest's website states that:
     
"The Quest DR Series of disk backup appliances [1] are engineered to handle
hundreds of incoming backup streams with an all-inclusive software solution
that simplifies management of backups, giving you more time to focus on
other tasks.

The appliances work in conjunction with backup software applications to
ensure data written to disks is protected for reliable recovery. New
features such as storage groups, secure erase and user management give you
the flexibility to tailor utilization policies to fit your organization's
specific requirements.

With Quest DR Series appliances, you can:
     
- Back up more of your servers and applications - with support for more
than 15 backup applications and enhanced security features such as
encryption at rest and secure erase.

- Store less backup data - using variable block, in-line deduplication
and compression to lower backup storage requirements by an average of
20:1 at an average cost of $.05 - $.17/GB.

- Perform better during data ingest and management - with built-in
accelerators, logical storage groups and support for Fibre Channel
connectivity and virtual tape libraries (VTLs)."

Multiple vulnerabilities were found in the Quest DR Series Disk Backup
software that would allow remote attackers to execute arbitrary system
commands on the appliance with root permissions.

Note: This advisory has limited details on the vulnerabilities because
during an attempted coordinated disclosure process for other advisory,
Quest advised us not to distribute our original findings to the public or
else they would take legal action.
Quest's definition of "responsible disclosure" can be found at
https://support.quest.com/essentials/reporting-security-vulnerability.

CoreLabs has been publishing security advisories since 1997 and believes
in coordinated disclosure and good faith collaboration with software vendors
before disclosure to help ensure that a fix or workaround solution is
ready and available when the vulnerability details are publicized. We
believe that providing technical details about each finding is necessary
to provide users and organizations with enough information to understand
the implications of the vulnerabilities against their environment and,
most importantly, to prioritize the remediation activities aiming at
mitigating risk.

We regret Quest's posture on disclosure and the lack of a possibility of
engaging into a coordinated publication date, something we achieve (and
have achieved) with many vendors as part of our coordinated disclosure
practices.
     
4. *Vulnerable Packages*

. Quest DR Series Disk Backup Software 4.0.3
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Quest has released the build 4.0.3.1 that address the reported
vulnerabilities.
Build can be download at:

. For DR4300e, DR4300, and DR6300:
https://support.quest.com/download-install-detail/6085865
. For DR4000, DR4100, DR6000:
https://support.quest.com/download-install-detail/6085802

For more details, Quest published the following Release Note:
https://support.quest.com/technical-documents/dr-series-software/4.0.3.1/release-notes/

#  0day.today [2018-06-01]  #