How to apply Unitrends security updates

DESCRIPTION

See Unitrends Response to certain security vulnerabilities (CVEs) - Reference Article​ for reference information on various security vulnerabilities which have been addressed, and some common false positives which may occur during some common security scans.  

 

RESOLUTION


Note that the first line of security is to change your root password from the default to a secure password, otherwise no amount of security updates will prevent attackers from accessing your unit.  
Note also that putting your backup server on a public-facing IP address or unfiltered NAT instead of behind a firewall is not supported by Unitrends in any way.  


Before installing these updates, the Unitrends Appliance must be on release 10.0.0 or higher.  

The installation will notify you and abort if this is not the case.  

To apply Unitrends security updates, do one of the following processes:
First, use an SSH client such as PuTTY to access the Unitrends system at the command line level.  Note:  Ensure you have the OS password to access the Unitrends system’s command line.  The OS password may differ from the password used to access the User Interface.

  1. If you have network access to ftp.unitrends.com:  Perform the following steps at the command line to apply the security tarball.
    wget ftp://ftp.unitrends.com/utilities/security_get.sh
    sh security_get.sh apply
  2. If you DO NOT have access to ftp.unitrends.com:  perform these steps to apply the security tarball
    (from a system with access to ftp.unitrends.com, download the files and confirm the checksum)
      wget ftp://ftp.unitrends.com/utilities/security_updates.tar.gz
      wget ftp://ftp.unitrends.com/utilities/security_updates.tar.md5
      md5sum security_updates.tar.gz
      cat security_updates.tar.md5
    
    (transfer security_updates.tar.gz to the Unitrends system placing them in /var/cache and apply it)
      cd /var/cache
      tar -xzvf security_updates.tar.gz
      cd updates
      ./security_updates.sh
  3. If you have release 10.0.0, it then supports performing security updates from the UI Support Toolbox.  From the UI, do this to download and update it.  
Configure -> Edit Appliance -> Advanced -> Support Toolbox -> Security Update

This process will abort installing security updates if any of the following are true:
  • There are any active jobs in tasker
  • There are active FLR jobs
  • There are active VIR jobs (HV or VMWare)
  • A Cloud Self Serve session is active importing data from a hot copy target
Verify that the security patch was successfully installed
 
To automatically download and apply new security updates when available:
 
bputil -p "Configuration Options" SecurityAutoUpdate 1 /usr/bp/bpinit/master.ini

To verify that future security updates will be automatically installed run the command:
grep SecurityAutoUpdate /usr/bp/bpinit/master.ini

SecurityAutoUpdate will be set to "1" once the auto-update feature is enabled.
[[email protected] ~]# grep SecurityAutoUpdate /usr/bp/bpinit/master.ini
  SecurityAutoUpdate=1     ; =1 auto-update new security rpm if available

LINK TO ADVISORIES

    NOTES

    Unitrends recommends installing security updates only if you are already running the latest Unitrends Recovery OS release.  Failing to do so may result in some security updates being skipped due to version compatibility limitations.  Please always perform any available UI updated before applying the latest security_updates.  


    About the Security Updates available to Unitrends Appliances:

    Difference between unitrends-security rpm and the security_updates tarball: 

    unitrends-security rpm - automatically installed in release 9.2.0 and later to provide all customers with a baseline security configuration. 
    Releases occur infrequently and are tied to the standard release cycle. 
    security_updates tarball - applies any rpms or configuration changes for security issues that may have occurred since the last major release.
    Updates occur frequently independent of release cycles.
    Use the Unitrends security_updates tarball if any of the following conditions apply:  
    resolving a vulnerability more recent than the baseline security rpm
    no network access to unitrends.com
    32-bit system
     
    • If you have release 10.0, or have already applied the security update tarball after June 1, 2017, it then supports performing security updates from the UI Support Toolbox.  From the UI, go to Configure/Edit Appliance/Advanced/Support Toolbox/Security and click to download and update it.  
    • If you have applied security_updates from 01/04/2018 (ver 10.17) or later, it will send an alert to the UI when a new security_update is available. 
    • Details about the security updates applied are logged in /var/log/unitrends-security.log.​
    Was this article helpful?
    0 out of 0 found this helpful
    Have more questions? Contact us