An XML External Entity (XEE) injection vulnerability has been discovered in Dell’s EMC Data Protection Advisor’s version 6.4 through 6.5. This vulnerability is found in the REST API and it could allow an authenticated remote malicious attacker to compromise the affected systems by reading server files or causing a Denial of Service (DoS crash through maliciously crafted Document Type Definitions (DTDs) through the XML request.
The Dell EMC Data Protection Advisor is designed to provide a single platform for data backup, recovery, and management. It is designed to provide unified analytics and insights for the IT environments at large corporations. It automates the once manual process and provides enhanced efficiency and lower cost benefits. The application supports a wide range of technologies and softwares as part of its backup database and it acts as the ideal tool to ensure that audits are complied with for protection.
This vulnerability has been assigned the label CVE-2018-11048, judged to have a high severity of risk, and accordingly assigned a CVSS 3.0 Base score of 8.1. The vulnerability affects the DELL EMC Data Protection Advisor’s versions 6.2, 6.3, 6.4 (prior to patch B180), and 6.5 (prior to patch B58). The vulnerability is also found to affect the Integrated Data Protection Appliance’s versions 2.0 and 2.1.
Dell is knowledgeable of this vulnerability at it has released updates for its product to mitigate the exploit consequences. Patches B180 or later contain the necessary updates for version 6.4 of Dell EMC Data Protection Advisor and patches B58 or later contain the necessary updates accordingly for version 6.5 of the program.
Registered Dell EMC Online Support customers can easily download the required patch from the EMC Support web page. As this vulnerability is at a high risk of exploit with its XEE injection vulnerability and potential DoS crash, users (especially administrators of large enterprises that use the platform) are requested to apply the patch immediately to avoid system compromise.