CVE-2018-6328 Unitrends: RCE with backquotes in /api/hosts/ parameters

CVE ID

CVE-2018-6328

DESCRIPTION

It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.

RESOLUTION

Resolution is to upgrade to Unitrends release 10.1.0 or later.

How to enable the release 10.1 upgrade

LINK TO ADVISORIES

https://nvd.nist.gov/vuln/detail/CVE-2018-6328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-6328

NOTES

[Discoverers] Benny Husted, Cale Smith, Jared Arave

Have more questions?

Was this article helpful?

0 out of 0 found this helpful

Provide feedback for the Documentation team!

Contact Documentation Team