CVE-2017-12479: Unitrends LOGDIR privilege escalation RCE

CVE ID

CVE-2017-12479

DESCRIPTION

It was discovered that an issue in the Unitrends session logic allowed using the LOGDIR environment variable during a web session to elevate an existing low privilege user to root privileges.  A remote attacker with existing low-privilege credentials could then execute arbitrary commands with root privileges.
Privileges Required: Low

 

RESOLUTION

Resolution: Upgrade to Unitrends release 10.0.0-2 or later, or apply Unitrends security update to a prior release

Unitrends reference UNIBP-13942

LINK TO ADVISORIES

NOTES

Discoverer(s)/Credits:  Benny Husted, Cale Smith, Jared Arave

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us