Unitrends has reviewed the penetration test results that were forwarded to our attention on May 29, 2014. We have correlated the results with Common Vulnerabilities and Exposures item CVE-2012-4929.
Unitrends Recovery-Series appliances are not impacted by this CVE.
- NIST rates this as Severity LOW.
- Vulnerability requires network access to the appliance and an HTTPS/SPDY connection to capture data
- Backup data is not exposed. Transferring backup data does not use HTTPS.
- The HTTPS web login credentials are not exposed because SSL compression is not used (not SPDY).
- Support tunnel connections use SSH rather than HTTPS/SPDY, so that is not exposed.
- Replication does do SSL+compression, but spoofing it would require root access to the system.
- CentOS5 openssl-0.9.8e-26.el5_9.1 or later
- CentOS6 openssl-1.0.0-27.el6_4.2 or later