CVE-2018-11161

Vulnerability

Quest DR Series Disk Backup software versions before 4.0.3.1 contain a command injection vulnerability (issue 19 of 46) [1]. The vulnerability exists in the web management interface, allowing an attacker to inject arbitrary operating system commands via crafted input. Affected versions are all prior to 4.0.3.1.

Exploitation

An attacker with network access to the Quest DR Series management interface can send specially crafted HTTP requests containing injected commands. The attacker does not require authentication if the management interface is exposed, though some configurations may require credentials. The injection occurs in a parameter that is unsafely passed to a system command [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server (typically root or system). This can lead to full compromise of the backup appliance, including data exfiltration, installation of malware, or disruption of backup services.

Mitigation

Quest has released version 4.0.3.1 to address this vulnerability. Users should upgrade to this version or later. No workarounds are documented. If upgrade is not possible, restrict network access to the management interface to trusted hosts only [1].