Unitrends Backup api/storage input validation vulnerability

Added: 11/29/2017

Background

Unitrends Backup is an enterprise backup, ransomware detection, and cloud continuity solution.

Problem

Unitrends Backup does not properly validate the hostname parameter in a JSON request to the api/storage resource, allowing a remote attacker to bypass authentication and execute arbitrary commands with root privileges.

Resolution

Upgrade to Unitrends release 10.0.0-2 or later.

References

https://support.unitrends.com/UnitrendsBackup/s/article/000005756

Platforms

Linux

Back to exploit index