CVE-2018-11145

Vulnerability

Quest DR Series Disk Backup software versions prior to 4.0.3.1 are affected by a command injection vulnerability (issue 3 of 46) [1]. The flaw exists in an unspecified component that fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary operating system commands.

Exploitation

An attacker with network access to the management interface of the Quest DR Series appliance can exploit this vulnerability by sending specially crafted requests to the vulnerable endpoint. No authentication is required for exploitation, as the vulnerable functionality is exposed to unauthenticated users [1]. The attack does not require user interaction.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with the privileges of the application process, typically root or SYSTEM. This leads to full compromise of the backup appliance, including data exfiltration, modification, or destruction, and potential lateral movement within the network.

Mitigation

The vulnerability is fixed in Quest DR Series Disk Backup software version 4.0.3.1 [1]. Users should upgrade to this version or later immediately. No workarounds are documented in the available reference. The product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.