Unitrends Response to certain security vulnerabilities (CVEs) - Reference Article

SUMMARY

This article serves as a reference for Unitrends responses to Common Vulnerabilities and Exposures (CVE).

ISSUE

A security vulnerability CVE report has been issued. Is the Unitrends system vulnerable to it?

The CVE and NIST organizations publish security vulnerability reports as they are discovered, and the use cases where the vulnerability occurs is also described.  The Unitrends engineering organization must evaluate each of these to determine if there is any vulnerability exposed for Unitrends appliance and determine corrective action, if any.

For information about installing the latest security updates to your Unitrends appliance, click here --->  How to apply Unitrends security updates.  

RESOLUTION

Unitrends has provided responses to the following CVE's:
CVE-2019-3880 samba: save registry file outside share as unprivileged user
CVE-2018-15473 openssh: User enumeration via malformed packets in authentication requests
CVE-2018-10872 kernel: error in exception handling leads to DoS
CVE-2018-10858 samba: insufficient input validation in libsmbclient
CVE-2018-10675 kernel: Use-after-free vulnerability in mm/mempolicy.c:do_get_mempolicy
CVE-2018-6329 Unitrends: sqli authentication bypass RCE
CVE-2018-6328 Unitrends: RCE with backquotes in /api/hosts/ parameters 
CVE-2018-5733 dhcp: Reference count overflow in dhcpd allows denial of service 
CVE-2018-5732 dhcp: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server 
CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)
CVE-2018-3665 Kernel: FPU state information leakage via lazy FPU restore
CVE-2018-3646 kernel: L1 Terminal Fault: VMM
CVE-2018-3639 hw: cpu: speculative store bypass
CVE-2018-3620 kernel: L1 Terminal Fault: OS/SMM
CVE-2018-3615 kernel: L1 Terminal Fault: SGX
CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script 
CVE-2017-1000405 kernel: Huge Dirty Cow vulnerability
CVE-2017-1000379: kernel: PIE binary stack mapping
CVE-2017-1000370: kernel: PIE binary stack overrun
CVE-2017-1000368 sudo: Privilege escalation via improper get_process_ttyname parsing
CVE-2017-1000366: glibc: manipulate heap/stack via LD_LIBRARY_PATH
CVE-2017-1000365: kernel: stack limit bypass
CVE-2017-1000364: kernel: stack guard page flaw
CVE-2017-15275 samba: Server heap-memory disclosure
CVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation
CVE-2017-12479: Unitrends LOGDIR privilege escalation RCE
CVE-2017-12478: Unitrends api/storage authentication bypass RCE
CVE-2017-12477: Unitrends bpserverd authentication bypass RCE
CVE-2017-12163 samba: server memory information leak over SMB1
CVE-2017-9461 samba: fd_open_atomic infinite loop due to wrong handling of dangling symlinks
CVE-2017-8779 rpcbind: memory leak when failing to parse XDR strings/arrays
CVE-2017-8291 ghostscript corruption of operand stack
CVE-2017-7980 qemu: OOB r/w access issues in bitblt routines
CVE-2017-7895: kernel: NFSv3 server payload bounds checking of WRITE requests
CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server
CVE-2017-7679 httpd: mod_mime buffer overread
CVE-2017-7541 kernel: Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx
CVE-2017-7494: samba RCE from a writeable share
CVE-2017-7284: Unitrends forced password change in users.php
CVE-2017-7283: Unitrends RCE in restore.php filenames
CVE-2017-7282: Unitrends LFI in restore.php filename
CVE-2017-7281: Unitrends unrestricted report file upload
CVE-2017-7280: Unitrends RCE in systems.php password
CVE-2017-7279: Unitrends user privilege escalation
CVE-2017-6464 ntp: Denial of Service via malformed config
CVE-2017-5753 kernel: speculative execution bounds-check bypass (meltdown/spectre)
CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
CVE-2017-0143 Windows SMB RCE Vulnerability (WannaCry)
CVE-2016-10012 openssh: Bounds check evaded in shared memory manager with pre-authentication compression support
CVE-2016-10011 openssh: Leak of host private key material to privilege-separated child process via realloc
CVE-2016-10010 openssh: privilege escalation via Unix domain socket forwarding
CVE-2016-10009 openssh: loading of untrusted PKCS#11 modules in ssh-agent
CVE-2016-9540 libtiff: cpStripToTile heap-buffer-overflow
CVE-2016-8858 openssh: Memory exhaustion due to unregistered KEXINIT handler
CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
CVE-2016-7406: Format string vulnerability in Dropbear SSH
CVE-2016-6515: openssh: Denial of service via very long passwords
CVE-2016-6329: SWEET32 attacks against 3DES Ciphers (openvpn)
CVE-2016-6210 openssh: User enumeration via covert timing channel
CVE-2016-5696: kernel: challenge ACK counter disclosure
CVE-2016-5387: Apache HTTPD: Proxy header sets environment
CVE-2016-5195 kernel: mm: privilege escalation via 'dirty' COW
CVE-2016-3115: openssh: bypass SSH restrictions
CVE-2016-2183: SWEET32 TLS/SSL Birthday attacks on 3DES ciphers
CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms
CVE-2016-2118: Samba Badlock vulnerability
CVE-2016-2107: OpenSSL oracle padding vulnerability
CVE-2016-1908 openssh: possible fallback from untrusted to trusted X11 forwarding
CVE-2015-8370: grub2 authentication bypass
CVE-2015-8325: openssh privilege escalation via LD_PRELOAD  
CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path
CVE-2015-7547: glibc libresolve vulnerability
CVE-2015-6564 openssh: Use-after-free bug with PAM support
CVE-2015-6563: openssh: Privilege separation weakness
CVE-2015-5600: openssh: MaxAuthTries limit bypass
CVE-2015-5352 openssh: XSECURITY restrictions bypass under certain conditions in ssh(1)
CVE-2015-0240: Samba TALLOC_FREE vulnerability
CVE-2015-0235: GHOST glibc vulnerability
CVE-2014-9295: ntpd buffer overflow vulnerability
CVE-2014-7169: Additional Bash Vulnerability
CVE-2014-6271: Bash Vulnerability
CVE-2014-3566: SSL Poodle Vulnerability
CVE-2014-3493 samba: smbd unicode path names denial of service
CVE-2014-3139: snmpd.php bypass authentication  
CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
CVE-2014-2532 openssh: AcceptEnv environment restriction bypass flaw
CVE-2014-1692 openssh: uninitialized variable use in J-PAKE implementation
CVE-2014-0244 samba: nmbd denial of service
CVE-2014-0224: CCS Injection Vulnerability
CVE-2014-0160: OpenSSL Heartbleed Vulnerability
CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS
CVE-2013-6438 httpd: mod_dav denial of service via crafted DAV WRITE request
CVE-2013-4434: Dropbear SSH Logon Vulnerability
CVE-2013-4421: Dropbear SSH Decompress DoS Vulnerability
CVE-2013-2566: TLS/SSL Server Supports RC4 Cipher Algorithms
CVE-2012-5568 tomcat: Slowloris denial of service
CVE-2012-4929: CRIME SSL/TLS Injection vulnerability
CVE-2012-2687: Apache HTTPD: XSS in mod_negotiation
CVE-2012-0814 openssh: forced command option information disclosure
CVE-2012-0053 httpd: cookie exposure due to error responses
CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling  
CVE-2011-5000 openssh: post-authentication resource exhaustion bug via GSSAPI
CVE-2011-4327 openssh: Unauthorized local access to host keys on platforms where ssh-rand-helper used
CVE-2011-4317 httpd: uri scheme bypass of the reverse proxy vulnerability
CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow
CVE-2011-3389: SSL v3/TLS 1.0 BEAST security vulnerability
CVE-2011-3368: httpd: reverse web proxy vulnerability
CVE-2009-3095: Apache httpd mod_proxy_ftp FTP command injection
CVE-2009-2412: Apache httpd: APR apr_palloc heap overflow
CVE-2009-1955: Apache httpd: APR-util XML DoS
CVE-2008-0456: Apache HTTPD: CRLF injection in mod_negotiation
CVE-2007-6750 httpd: Apache Slowloris denial of service
CVE-2007-3999: krb5 RPC library buffer overflow
CVE-2007-2243: OpenSSH S/KEY Authentication Enumeration
CVE-1999-0505: Microsoft Windows SMB Guest Account User Access

Some scanning engines may report additional CVEs the Unitrends appliance is not vulnerable to due to the nature of upstream vs backfilled patches by RedHat/CentOS.  Checking the following additional KBs to see if a reported CVE may be a false positive:

Security: Common false positive scan results

Security: False Positives from Qualsys scan engine

CAUSE

Some security software often uses the upstream project package version number to determine a package’s vulnerabilities, but this does not take into account patches backported by Red Hat to CentOS, which only increments the patch level after the dash.

Unitrends installs systems with Red Hat EL/CentOS5.7 or EL/CentOS6.5 as the Linux OS distribution.  Red Hat will continue to provide long-term support for packages contained in the distribution as defined in the lifecycle link below.   Unitrends will continue to supply regular security updates which will include updated packages from Red Hat as they become available throughout the lifecycle of the distribution.    

A variant of this is that some security software references upstream project package versions saying that an older released version will no longer be supported by the project.  This should be considered a false positive.  This statement means that the upstream project will stop automatically backporting new fixes into that version for Linux distributions.  The Linux distributions (including Red Hat) do their own security updates and fixes for package versions that have been distributed.  The Red Hat policy on support is described in the links below.   

Red Hat support lifecycle https://access.redhat.com/support/policy/updates/errata 
RH Backporting Policy    https://access.redhat.com/security/updates/backporting
Security Audit Tool OVAL Compatibility https://access.redhat.com/articles/221883/

Unitrends provides long-term support for all software delivered on our systems for customers covered under an active Unitrends support agreement.  When Unitrends determines that functional or security issues require an update, Unitrends will supply an updated software package.  This includes providing updated Red Hat packages, updated Unitrends software packages, or other custom software packages used by Unitrends.  When Unitrends determines that an update is required for a custom software package, Unitrends will compose or backport a source fix from upstream Linux versions to that software package. 

NOTES

Note that the first line of security is to change your root password from the default, otherwise no amount of security updates will prevent attackers.  
Note that putting your backup server on a public-facing IP address instead of behind a firewall is not recommended.  

How to apply Unitrends security updates​. 

If other vulnerabilities are found, contact Unitrends support for the latest Unitrends security update information.  

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us