Rhino Security Labs

Unitrends Enterprise Backup Privilege Escalation in users.php File
[CVE-2017-7284]

Vulnerability Details

CVSS Rating: 8.8 (high)

CVE-2017-7284

Disclosing Company: Rhino Security Labs

Date: 04/12/2017

Status: Published

Affected software/version:
Unitrends Enterprise Backup < 9.1.2

Disclosure

Rhino Security Labs References

Blog Post: "Unitrends Vulnerability Hunting: Remote Code Execution"

GitHub: Remote Password Change Exploit

Unitrends: Unitrends forced password change in users.php

MITRE

NIST

Disclosure Date

04/12/2017

Vulnerability Description

An attacker that has hijacked a Unitrends Enterprise Backup (before 9.1.2) web server session can leverage api/includes/users.php to change the password of the logged in account without knowing the current password. This allows for an account takeover.

Related Disclosures

Unitrends Enterprise Backup Local File Inclusion
[CVE-2017-7282]

Unitrends Enterprise Backup Privilege Escalation in Token Cookie
[CVE-2017-7279]

Unitrends Enterprise Backup Remote Code Execution in systems.php File
[CVE-2017-7280]

Unitrends Enterprise Backup Remote Code Execution in reports.php File
[CVE-2017-7281]

Unitrends Enterprise Backup Remote Code Execution in restore.php File
[CVE-2017-7283]

CVSS Metrics

CVSS Rating (version 3.0)

8.8 (High)

Impact Score

Exploitability Score

5.9

2.8

Attack Vector

Network

Attack Complexity (AC)Low Privileges Required (PR)Low User Interaction (UI)None Scope (S)Unchanged

Confidentiality (C)High Integrity (I)High Availability (A)High