SUMMARY
This article serves as a reference for Unitrends responses to Common Vulnerabilities and Exposures (CVE).
ISSUE
A security vulnerability CVE report has been issued. Is the Unitrends system vulnerable to it?
The CVE and NIST organizations publish security vulnerability reports as they are discovered, and the use cases where the vulnerability occurs is also described. The Unitrends engineering organization must evaluate each of these to determine if there is any vulnerability exposed for Unitrends appliance and determine corrective action, if any.
Security updates are included in normal monthly appliance updates past release 10.3.0. No manual action is necessary to have the latest security packages other than updating to the current Unitrends appliance release.
RESOLUTION
Unitrends has provided responses to the following CVE's. Note all CVEs solved are not listed, only CVEs that were reported to Unitrends by customers or that are common false positives are included here. This is not an exhaustive listing.
Before contacting Unitrends Support regarding a possible CVE risks, please do the following:
- Update your appliance to the latest Unitrends release. Note updating hot copy targets before backup appliances is required. An active support agreement is required to obtain the latest release from Unitrends.
- Wait at least 30 minutes post update then check in your UI to see if there is an alert indicating a reboot is required. Reboot only if an alert is noted.
- scan your system with the latest updates of your security vulnerability scanner. Compare the results of your scan with this article. Many CVEs reported against Unitrends systems are false positives or do not apply to our system. Eliminate all that do not apply.
- Note any CVEs your tool reports the appliance triggered that are not resolved through this process. Provide the output of those specific CVEs to Unitrends support.
A note about vulnerability scanners
Unitrends appliances run on Centos, which follows its upstream source, Redhat. Redhat addresses many security issues through 'backports'; the term backporting describes when Redhat takes a fix for a security flaw out of the most recent version of an upstream software package and applies that fix to an older version of the package distributed by Red Hat.
More information can be found here: https://access.redhat.com/solutions/57665
If your Vulnerability scanner does not account for these backports you will have many false positives in your scans.
Redhat's vulnerability response database can be found here: https://access.redhat.com/security/security-updates/#/cve
CVE-2021-43035 Unauthenticated SQL Injection
CVE-2021-43033 Unauthenticated Remote Code Execution – bpserverd
CVE-2021-43036 Weak PostgreSQL Account wguest
CVE-2021-43038 PostgreSQL Trigger Command Injection
CVE-2021-43037 DLL Hijacking
CVE-2021-43040 Privilege Escalation – Arbitrary File Create - vaultServer
CVE-2021-43034 Privilege Escalation to Apache
CVE-2021-43039 SMB Null Sessions Allowed with Read/Write
CVE-2021-43042 Buffer Overflow in vaultServer
CVE-2021-43041 Format String Vulnerability vaultServer
CVE-2021-43043 Insecure Sudo Rule - Apache
CVE-2021-43044 Weak SNMP Community String
CVE-2019-3880 samba: save registry file outside share as unprivileged user
CVE-2018-15473 openssh: User enumeration via malformed packets in authentication requests
CVE-2018-10872 kernel: error in exception handling leads to DoS
CVE-2018-10858 samba: insufficient input validation in libsmbclient
CVE-2018-10675 kernel: Use-after-free vulnerability in mm/mempolicy.c:do_get_mempolicy
CVE-2018-6329 Unitrends: sqli authentication bypass RCE
CVE-2018-6328 Unitrends: RCE with backquotes in /api/hosts/ parameters
CVE-2018-5733 dhcp: Reference count overflow in dhcpd allows denial of service
CVE-2018-5732 dhcp: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server
CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)
CVE-2018-3665 Kernel: FPU state information leakage via lazy FPU restore
CVE-2018-3646 kernel: L1 Terminal Fault: VMM
CVE-2018-3639 hw: cpu: speculative store bypass
CVE-2018-3620 kernel: L1 Terminal Fault: OS/SMM
CVE-2018-3615 kernel: L1 Terminal Fault: SGX
CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
CVE-2017-1000405 kernel: Huge Dirty Cow vulnerability
CVE-2017-1000379: kernel: PIE binary stack mapping
CVE-2017-1000370: kernel: PIE binary stack overrun
CVE-2017-1000368 sudo: Privilege escalation via improper get_process_ttyname parsing
CVE-2017-1000366: glibc: manipulate heap/stack via LD_LIBRARY_PATH
CVE-2017-1000365: kernel: stack limit bypass
CVE-2017-1000364: kernel: stack guard page flaw
CVE-2017-15275 samba: Server heap-memory disclosure
CVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation
CVE-2017-12479: Unitrends LOGDIR privilege escalation RCE
CVE-2017-12478: Unitrends api/storage authentication bypass RCE
CVE-2017-12477: Unitrends bpserverd authentication bypass RCE
CVE-2017-12163 samba: server memory information leak over SMB1
CVE-2017-9461 samba: fd_open_atomic infinite loop due to wrong handling of dangling symlinks
CVE-2017-8779 rpcbind: memory leak when failing to parse XDR strings/arrays
CVE-2017-8291 ghostscript corruption of operand stack
CVE-2017-7980 qemu: OOB r/w access issues in bitblt routines
CVE-2017-7895: kernel: NFSv3 server payload bounds checking of WRITE requests
CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server
CVE-2017-7679 httpd: mod_mime buffer overread
CVE-2017-7541 kernel: Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx
CVE-2017-7494: samba RCE from a writeable share
CVE-2017-7284: Unitrends forced password change in users.php
CVE-2017-7283: Unitrends RCE in restore.php filenames
CVE-2017-7282: Unitrends LFI in restore.php filename
CVE-2017-7281: Unitrends unrestricted report file upload
CVE-2017-7280: Unitrends RCE in systems.php password
CVE-2017-7279: Unitrends user privilege escalation
CVE-2017-6464 ntp: Denial of Service via malformed config
CVE-2017-5753 kernel: speculative execution bounds-check bypass (meltdown/spectre)
CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
CVE-2017-0143 Windows SMB RCE Vulnerability (WannaCry)
CVE-2016-10012 openssh: Bounds check evaded in shared memory manager with pre-authentication compression support
CVE-2016-10011 openssh: Leak of host private key material to privilege-separated child process via realloc
CVE-2016-10010 openssh: privilege escalation via Unix domain socket forwarding
CVE-2016-10009 openssh: loading of untrusted PKCS#11 modules in ssh-agent
CVE-2016-9540 libtiff: cpStripToTile heap-buffer-overflow
CVE-2016-8858 openssh: Memory exhaustion due to unregistered KEXINIT handler
CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
CVE-2016-7406: Format string vulnerability in Dropbear SSH
CVE-2016-6515: openssh: Denial of service via very long passwords
CVE-2016-6329: SWEET32 attacks against 3DES Ciphers (openvpn)
CVE-2016-6210 openssh: User enumeration via covert timing channel
CVE-2016-5696: kernel: challenge ACK counter disclosure
CVE-2016-5387: Apache HTTPD: Proxy header sets environment
CVE-2016-5195 kernel: mm: privilege escalation via 'dirty' COW
CVE-2016-3115: openssh: bypass SSH restrictions
CVE-2016-2183: SWEET32 TLS/SSL Birthday attacks on 3DES ciphers
CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms
CVE-2016-2118: Samba Badlock vulnerability
CVE-2016-2107: OpenSSL oracle padding vulnerability
CVE-2016-1908 openssh: possible fallback from untrusted to trusted X11 forwarding
CVE-2015-8370: grub2 authentication bypass
CVE-2015-8325: openssh privilege escalation via LD_PRELOAD
CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path
CVE-2015-7547: glibc libresolve vulnerability
CVE-2015-6564 openssh: Use-after-free bug with PAM support
CVE-2015-6563: openssh: Privilege separation weakness
CVE-2015-5600: openssh: MaxAuthTries limit bypass
CVE-2015-5352 openssh: XSECURITY restrictions bypass under certain conditions in ssh(1)
CVE-2015-0240: Samba TALLOC_FREE vulnerability
CVE-2015-0235: GHOST glibc vulnerability
CVE-2014-9295: ntpd buffer overflow vulnerability
CVE-2014-7169: Additional Bash Vulnerability
CVE-2014-6271: Bash Vulnerability
CVE-2014-3566: SSL Poodle Vulnerability
CVE-2014-3493 samba: smbd unicode path names denial of service
CVE-2014-3139: snmpd.php bypass authentication
CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
CVE-2014-2532 openssh: AcceptEnv environment restriction bypass flaw
CVE-2014-1692 openssh: uninitialized variable use in J-PAKE implementation
CVE-2014-0244 samba: nmbd denial of service
CVE-2014-0224: CCS Injection Vulnerability
CVE-2014-0160: OpenSSL Heartbleed Vulnerability
CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS
CVE-2013-6438 httpd: mod_dav denial of service via crafted DAV WRITE request
CVE-2013-4434: Dropbear SSH Logon Vulnerability
CVE-2013-4421: Dropbear SSH Decompress DoS Vulnerability
CVE-2013-2566: TLS/SSL Server Supports RC4 Cipher Algorithms
CVE-2012-5568 tomcat: Slowloris denial of service
CVE-2012-4929: CRIME SSL/TLS Injection vulnerability
CVE-2012-2687: Apache HTTPD: XSS in mod_negotiation
CVE-2012-0814 openssh: forced command option information disclosure
CVE-2012-0053 httpd: cookie exposure due to error responses
CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling
CVE-2011-5000 openssh: post-authentication resource exhaustion bug via GSSAPI
CVE-2011-4327 openssh: Unauthorized local access to host keys on platforms where ssh-rand-helper used
CVE-2011-4317 httpd: uri scheme bypass of the reverse proxy vulnerability
CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow
CVE-2011-3389: SSL v3/TLS 1.0 BEAST security vulnerability
CVE-2011-3368: httpd: reverse web proxy vulnerability
CVE-2009-3095: Apache httpd mod_proxy_ftp FTP command injection
CVE-2009-2412: Apache httpd: APR apr_palloc heap overflow
CVE-2009-1955: Apache httpd: APR-util XML DoS
CVE-2008-0456: Apache HTTPD: CRLF injection in mod_negotiation
CVE-2007-6750 httpd: Apache Slowloris denial of service
CVE-2007-3999: krb5 RPC library buffer overflow
CVE-2007-2243: OpenSSH S/KEY Authentication Enumeration
CVE-1999-0505: Microsoft Windows SMB Guest Account User Access
Some scanning engines may report additional CVEs the Unitrends appliance is not vulnerable to due to the nature of upstream vs backfilled patches by RedHat/CentOS. Checking the following additional KBs to see if a reported CVE may be a false positive:
Security: Common false positive scan results
Security: False Positives from Qualsys scan engine
CAUSE
Some security software often uses the upstream project package version number to determine a package’s vulnerabilities, but this does not take into account patches backported by Red Hat to CentOS, which only increments the patch level after the dash.
Unitrends installs systems with Red Hat EL/CentOS5.7 or EL/CentOS6.5 as the Linux OS distribution. Red Hat will continue to provide long-term support for packages contained in the distribution as defined in the lifecycle link below. Unitrends will continue to supply regular security updates which will include updated packages from Red Hat as they become available throughout the lifecycle of the distribution.
A variant of this is that some security software references upstream project package versions saying that an older released version will no longer be supported by the project. This should be considered a false positive. This statement means that the upstream project will stop automatically backporting new fixes into that version for Linux distributions. The Linux distributions (including Red Hat) do their own security updates and fixes for package versions that have been distributed. The Red Hat policy on support is described in the links below.
Red Hat support lifecycle https://access.redhat.com/support/policy/updates/errata
RH Backporting Policy https://access.redhat.com/security/updates/backporting
Security Audit Tool OVAL Compatibility https://access.redhat.com/articles/221883/
Unitrends provides long-term support for all software delivered on our systems for customers covered under an active Unitrends support agreement. When Unitrends determines that functional or security issues require an update, Unitrends will supply an updated software package. This includes providing updated CentOS packages, updated Unitrends software packages, or other custom software packages used by Unitrends. When Unitrends determines that an update is required for a custom software package, Unitrends will compos directly through Unitrends operated code repositories. Unitrends may as necessary also backport a source fix from upstream Linux versions to that software package. Unitrends is the vendor and supplier of packages for your system, not Redhat or other 3rd parties and the Unitrends system should be documented as a vendor managed appliance for purposes of compliance reporting and updating requirements.
NOTES
The first line of security is to change your root password from the default, otherwise no amount of security updates will prevent attackers. Appliances using default published passwords will not be offered support until the password is changed.
Unitrends appliance support is negated if a Unitrends Appliance is exposed to a publicly accessible IP/port with the exception of the OpenVPN port on hot copy targets. Unitrends backups appliances should have outgoing communication to the internet only and must never be exposed on a pubic IP through NAT or other means. For Hot Copy targets, only the VPN port may be exposed and traffic should be secured to allow only the source appliance location external IP to connect where possible. If this is found to be violated, Unitrends will not provide support until this is closed/secured and if the appliance is compromised because of this issue, the only support provided will be to assist in re-imaging the appliance. It is a violation of the terms of the Unitrends Support agreement to expose our system to external attack.
How to apply Unitrends security updates. (note this linked article only applies to system running release 10.3.0 or older. to get the latest security updates, simply update your appliance using the UI or enable helix automatic update).