Digital Defense, a security technology provider, identified the Dell EMC bugs on January 4. The company immediately notified customers and issued patches. “No customers have been impacted, to our knowledge, and we consider the matter resolved,” said a Dell EMC spokesperson in an email. Dell EMC released a patch, and instructions for the security fix, on January 4.
The vulnerabilities could have allowed hackers to bypass user authentication and to attack enterprise servers. The security flaws targeted Dell EMC Avamar servers, NetWorker Virtual Edition, and Integrated Data Protection appliances. The problem in all three systems was the Avamar Installation Manager, according to Digital Defense.
In a blog post, Digital Defense praised Dell EMC’s response to the security flaws: “VRT [Vulnerability Research Team] would like to commend Dell EMC for their prompt handling and diligent attention to the issues and their work with Digital Defense engineering staff to understand, resolve, and verify the fixes for these security issues.”
VMware also issued a patch to fix a related bug in its vSphere Data Protection (VDP) products on January 2.
“VDP contains an authentication bypass vulnerability,” the company said in a security advisory. “A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.”
Digital Defense says it immediately notifies affected vendors when it finds these so-called “zero-day” vulnerabilities, meaning that there are zero days between the time the flaw is discovered and the first attack. The security company also assists the vendors with remediation actions.
“With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products,” the Dell EMC spokesperson said, directing customers to the company’s Vulnerability Response Policy. “Our goal is to provide customers with timely information, guidance, and mitigation to address threats from vulnerabilities. This is a good example of coordinated disclosure in action.”
The Dell EMC and VMware vulnerabilities are not related to the Meltdown and Spectre security flaws also discovered last week.