Main Vulnerability Database Vulnerabilities #VU10364

Command injection in RecoverPoint - CVE-2018-1184

Published: February 5, 2018

Vulnerability identifier: #VU10364

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-1184

CWE-ID: CWE-77

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Dell

Affected software:
RecoverPoint

Detailed vulnerability description

The vulnerability allows a local high-privileged attacker to execute arbitrary commands on the target system.

The vulnerability exists due to an error in lib/rrd.php. A local user with 'boxmgmt' privileges can supply specially crafted data via the Boxmgmt command line interface (CLI) to run arbitrary commands with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

How to mitigate CVE-2018-1184

Install update from vendor's website.

Sources

http://seclists.org/fulldisclosure/2018/Feb/9

Command injection in RecoverPoint - CVE-2018-1184

Detailed vulnerability description

How to mitigate CVE-2018-1184

Sources

Please verify you're human