CVE-2018-11168

Vulnerability

Quest DR Series Disk Backup software version before 4.0.3.1 is susceptible to a command injection vulnerability (issue 26 of 46). The flaw resides in the administrative interface, enabling an authenticated user with sufficient privileges to inject arbitrary operating system commands through improperly sanitized input fields. The vulnerable versions include all releases preceding 4.0.3.1 [1].

Exploitation

An attacker requires authenticated access to the Quest DR Series administrative web interface. By crafting a malicious input—such as appending command separators (e.g., ;, |, or backticks)—to a parameter that is later passed to a system call, the attacker can inject and execute arbitrary commands on the underlying operating system. No user interaction beyond the attacker's own actions is needed, and no race condition is involved [1].

Impact

Successful exploitation allows the attacker to execute arbitrary system commands with the privileges of the disk backup software process (typically running as root or a high-privilege user). This can lead to full compromise of the backup server, including unauthorized data access, modification, deletion, and potential lateral movement within the network. The CIA triad is wholly undermined, as the attacker can read, modify, or destroy backup data and system files [1].

Mitigation

Quest DR Series Disk Backup software version 4.0.3.1 and later contain the fix for this command injection vulnerability. Operators should upgrade to version 4.0.3.1 or the latest available release immediately. There are no public workarounds disclosed; restricting access to the administrative interface via network controls and enforcing least-privilege access for authenticated users can reduce risk until patching is completed [1].