CVE-2018-11152

Vulnerability

Quest DR Series Disk Backup software versions prior to 4.0.3.1 are vulnerable to command injection (issue 10 of 46). The vulnerability resides in the web management interface, where insufficient input validation allows an attacker to inject arbitrary operating system commands. The exact affected component is not detailed in the available reference, but the software is used for disk-based backup and deduplication. [1]

Exploitation

An attacker with network access to the Quest DR Series management interface can exploit this vulnerability by sending specially crafted HTTP requests. No authentication is required, as the injection occurs in a pre-authentication context. The attacker can inject commands via parameters that are passed to the underlying system shell. The reference indicates that the exploit is straightforward and does not require user interaction. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server process (typically root or a high-privileged user). This leads to full compromise of the backup appliance, including data exfiltration, modification, or destruction, and potential lateral movement within the network. [1]

Mitigation

Quest has released version 4.0.3.1 to address this vulnerability. Users should upgrade to this version or later. No workarounds are documented in the available reference. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]