Vulnerability Name: CVE-2017-15548 (CCN-137100) Assigned: 2017-10-17 Published: 2018-01-02 Updated: 2018-01-18 Summary: An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0; EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x; and EMC Integrated Data Protection Appliance 2.0. A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): HighAvailibility (A): None
CVSS v2 Severity: 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): CompleteAvailibility (A): None
Vulnerability Type: CWE-287 Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2017-15548 http://seclists.org/fulldisclosure/2018/Jan/17 102352 VMware vSphere Data Protection CVE-2017-15548 Authentication Bypass Vulnerability 1040070 vmware-vsphere-cve201715548-sec-bypass(137100) vSphere Data Protection (VDP) updates address multiple security issues. Vulnerable Configuration: Configuration 1 :cpe:/a:emc:avamar_server:7.1-21:sp2:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.1-145:sp1:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.1-302:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.1-370:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.2-32:sp1:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.2-309:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.2-401:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.3-125:sp1:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.3-211:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.3-226:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.3-233:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.4-58:sp1:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.4-242:*:*:*:*:*:*:* OR cpe:/a:emc:avamar_server:7.5-183:*:*:*:*:*:*:* OR cpe:/a:emc:integrated_data_protection_appliance:2.0:*:*:*:*:*:*:* OR cpe:/a:emc:networker:9.0:*:*:*:virtual:*:*:* OR cpe:/a:emc:networker:9.1:*:*:*:virtual:*:*:* OR cpe:/a:emc:networker:9.2:*:*:*:virtual:*:*:* Configuration CCN 1 :cpe:/a:vmware:vsphere_data_protection:5.5.5:*:*:*:*:*:*:* OR cpe:/a:vmware:vsphere_data_protection:5.8.0:*:*:*:*:*:*:* OR cpe:/a:vmware:vsphere_data_protection:6.0.0:*:*:*:*:*:*:* OR cpe:/a:vmware:vsphere_data_protection:6.1.0:*:*:*:*:*:*:* BACK
emc avamar server 7.1-21 sp2
emc avamar server 7.1-145 sp1
emc avamar server 7.1-302
emc avamar server 7.1-370
emc avamar server 7.2-32 sp1
emc avamar server 7.2-309
emc avamar server 7.2-401
emc avamar server 7.3-125 sp1
emc avamar server 7.3-211
emc avamar server 7.3-226
emc avamar server 7.3-233
emc avamar server 7.4-58 sp1
emc avamar server 7.4-242
emc avamar server 7.5-183
emc integrated data protection appliance 2.0
emc networker 9.0
emc networker 9.1
emc networker 9.2
vmware vsphere data protection 5.5.5
vmware vsphere data protection 5.8.0
vmware vsphere data protection 6.0.0
vmware vsphere data protection 6.1.0
Denotes that component is vulnerable