DESCRIPTION
See Unitrends Response to certain security vulnerabilities (CVEs) - Reference Article for reference information on various security vulnerabilities which have been addressed, and some common false positives which may occur during some common security scans.
RESOLUTION
As of release 10.3.1, all Security Updates are conducted automatically as part of the monthly updates to the Unitrends Appliance. If you are on our current release you can further enable the Helix Auto-update for the Unitrends Appliance.
We strongly recommend you keep your Unitrends Appliance up to date for maximum supportability, security, and protection capabilities. Please follow the Latest Release Notes for Recovery Series and Unitrends Backup and the then current Upgrade Guide for Recovery Series and Unitrends Backup available at that time. Unitrends officially supports the current release at any time.
For those systems release 10.3 and older where an update of the RecoveryOS is not possible, proceed with the instructions below for security updates.
Note that the first line of security is to change your root password from the default to a secure password, otherwise no amount of security updates will prevent attackers from accessing your unit.
Note also that putting your backup server on a public-facing IP address or unfiltered NAT instead of behind a firewall is not supported by Unitrends in any way.
Before installing these updates, the Unitrends Appliance must be on release 10.0.0 or higher.
The installation will notify you and abort if this is not the case.
To apply Unitrends security updates, do one of the following processes:
First, use an SSH client such as PuTTY to access the Unitrends system at the command line level. Note: Ensure you have the OS password to access the Unitrends system’s command line. The OS password may differ from the password used to access the User Interface.
- If you have network access to https://sftp.kaseya.com: Perform the following steps at the command line to apply the security tarball.
wget https://sftp.kaseya.com/utilities/security_get.sh sh security_get.sh apply
- If you DO NOT have access to https://sftp.kaseya.com: perform these steps to apply the security tarball
(from a system with access to sftp.kaseya.com, download the files and confirm the checksum) wget https://sftp.kaseya.com/utilities/security_updates.tar.gz wget https://sftp.kaseya.com/utilities/security_updates.tar.md5 md5sum security_updates.tar.gz cat security_updates.tar.md5 (transfer security_updates.tar.gz to the Unitrends system placing them in /backups/yumcache and apply it) cd /backups/yumcache tar -xzvf security_updates.tar.gz cd updates ./security_updates.sh
- If you have release 10.0.0, it then supports performing security updates from the UI Support Toolbox. From the UI, do this to download and update it.
Configure -> Edit Appliance -> Advanced -> Support Toolbox -> Security Update
This process will abort installing security updates if any of the following are true:
- There are any active jobs in tasker
- There are active FLR jobs
- There are active VIR jobs (HV or VMWare)
- A Cloud Self Serve session is active importing data from a hot copy target
Verify that the security patch was successfully installed
To automatically download and apply new security updates when available:
bputil -p "Configuration Options" SecurityAutoUpdate 1 /usr/bp/bpinit/master.ini
To verify that future security updates will be automatically installed run the command:
grep SecurityAutoUpdate /usr/bp/bpinit/master.ini
SecurityAutoUpdate will be set to "1" once the auto-update feature is enabled.
[root@UnitrendsSystem ~]# grep SecurityAutoUpdate /usr/bp/bpinit/master.ini SecurityAutoUpdate=1 ; =1 auto-update new security rpm if available
LINK TO ADVISORIES
NOTES
Unitrends recommends installing security updates only if you are already running the latest Unitrends Recovery OS release. Failing to do so may result in some security updates being skipped due to version compatibility limitations. Please always perform any available UI updated before applying the latest security_updates.
About the Security Updates available to Unitrends Appliances:
Difference between unitrends-security rpm and the security_updates tarball:
unitrends-security rpm - automatically installed in release 9.2.0 and later to provide all customers with a baseline security configuration. Releases occur infrequently and are tied to the standard release cycle. |
security_updates tarball - applies any rpms or configuration changes for security issues that may have occurred since the last major release. Updates occur frequently independent of release cycles. |
Use the Unitrends security_updates tarball if any of the following conditions apply:
resolving a vulnerability more recent than the baseline security rpm |
no network access to unitrends.com |
32-bit system |
- If you have release 10.0, or have already applied the security update tarball after June 1, 2017, it then supports performing security updates from the UI Support Toolbox. From the UI, go to Configure/Edit Appliance/Advanced/Support Toolbox/Security and click to download and update it.
- If you have applied security_updates from 01/04/2018 (ver 10.17) or later, it will send an alert to the UI when a new security_update is available.
- Details about the security updates applied are logged in /var/log/unitrends-security.log.