Ask the Community
Groups
How to apply Unitrends security updates - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="description"><strong>DESCRIPTION</strong></h3> <p>See <a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/unitrends/hc/en-us/articles/360013271818" rel="noopener nofollow">Unitrends Response to certain security vulnerabilities (CVEs) - Reference Article</a> for reference information on various security vulnerabilities which have been addressed, and some common false positives which may occur during some common security scans. <br><br> </p> <h3 data-id="resolution"><strong>RESOLUTION</strong></h3> <p> </p> <p><strong>As of release 10.3.1, all Security Updates are conducted automatically as part of the monthly updates to the Unitrends Appliance. If you are on our current release you can further enable <a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/unitrends/hc/en-us/articles/360013189757" rel="undefined nofollow">the Helix Auto-update for the Unitrends Appliance.</a></strong></p> <p> </p> <p><strong>We strongly recommend you keep your Unitrends Appliance up to date for maximum supportability, security, and protection capabilities. Please follow the <a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/unitrends/hc/en-us/articles/360013158117" rel="noopener nofollow">Latest Release Notes for Recovery Series and Unitrends Backup</a></strong> <strong>and the then current </strong><a rel="nofollow" href="https://kaseya.vanillacommunities.com/kb/articles/aliases/unitrends/hc/en-us/articles/360013187317">Upgrade Guide for Recovery Series and Unitrends Backup</a><strong> available at that time. Unitrends officially supports the current release at any time. </strong></p> <p> </p> <p>For those systems release 10.3 and older where an update of the RecoveryOS is not possible, proceed with the instructions below for security updates.</p> <p><br><strong>Note</strong> that the first line of security is to change your root password from the default to a secure password, otherwise no amount of security updates will prevent attackers from accessing your unit. <br><strong>Note</strong> also that putting your backup server on a public-facing IP address or unfiltered NAT instead of behind a firewall is not supported by Unitrends in any way. <br><br><strong><br>Before installing these updates, the Unitrends Appliance must be on release 10.0.0 or higher. </strong><br>The installation will notify you and abort if this is not the case. <br><br><strong>To apply Unitrends security updates, do one of the following processes:</strong><br>First, use an SSH client such as <a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fwww.chiark.greenend.org.uk%2F%7Esgtatham%2Fputty%2Fdownload.html" rel="noopener nofollow">PuTTY</a> to access the Unitrends system at the command line level. <em>Note: Ensure you have the OS password to access the Unitrends system’s command line. The OS <a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/unitrends/hc/en-us/articles/360013244978" rel="noopener nofollow">password</a> may differ from the password used to access the User Interface.</em></p> <ol><li>If you have network access to ftp.unitrends.com: Perform the following steps at the command line to apply the security tarball. <pre class="code codeBlock" spellcheck="false" tabindex="0">wget <a href="/home/leaving?allowTrusted=1&target=ftp%3A%2F%2Fftp.unitrends.com%2Futilities%2Fsecurity_get.sh">ftp://ftp.unitrends.com/utilities/security_get.sh</a> sh security_get.sh apply</pre> </li> <li>If you DO NOT have access to ftp.unitrends.com: perform these steps to apply the security tarball <pre class="code codeBlock" spellcheck="false" tabindex="0">(from a system with access to ftp.unitrends.com, download the files and confirm the checksum) wget <a href="/home/leaving?allowTrusted=1&target=ftp%3A%2F%2Fftp.unitrends.com%2Futilities%2Fsecurity_updates.tar.gz">ftp://ftp.unitrends.com/utilities/security_updates.tar.gz</a> wget <a href="/home/leaving?allowTrusted=1&target=ftp%3A%2F%2Fftp.unitrends.com%2Futilities%2Fsecurity_updates.tar.md5">ftp://ftp.unitrends.com/utilities/security_updates.tar.md5</a> md5sum security_updates.tar.gz cat security_updates.tar.md5 (transfer security_updates.tar.gz to the Unitrends system placing them in /var/cache and apply it) cd /var/cache tar -xzvf security_updates.tar.gz cd updates ./security_updates.sh</pre> </li> <li>If you have release 10.0.0, it then supports performing security updates from the UI Support Toolbox. From the UI, do this to download and update it. </li> </ol><div> <pre class="code codeBlock" spellcheck="false" tabindex="0">Configure -> Edit Appliance -> Advanced -> Support Toolbox -> Security Update </pre> </div> <p><br><strong>This process will abort installing security updates if any of the following are true:</strong></p> <ul><li>There are any active jobs in tasker</li> <li>There are active FLR jobs</li> <li>There are active VIR jobs (HV or VMWare)</li> <li>A Cloud Self Serve session is active importing data from a hot copy target</li> </ul><p><strong>Verify that the security patch was successfully installed</strong><br> </p> <div><a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/unitrends/hc/en-us/articles/360013189957?q=SELECT+Id%2CDescription__c%2CResolution__c%2CLink_to_Advisories__c%2CNotes__c%2CSummary%2CCVE_ID__c%2CAttachment__Body__s%2CAttachment__ContentType__s%2CAttachment__Length__s%2CAttachment__Name__s%2CTitle%2CKnowledgeArticleId+from+Advisory__kav+where+PublishStatus%3D%27Online%27" rel="noopener nofollow">How to identify the version of the installed security patch</a></div> <p><br><strong>To automatically download and apply new security updates when available:</strong><br> </p> <pre class="code codeBlock" spellcheck="false" tabindex="0">bputil -p "Configuration Options" SecurityAutoUpdate 1 /usr/bp/bpinit/master.ini</pre> <p><br><strong>To verify that future security updates will be automatically installed run the command:</strong></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">grep SecurityAutoUpdate /usr/bp/bpinit/master.ini</pre> <p><br><strong>SecurityAutoUpdate will be set to "1" once the auto-update feature is enabled.</strong></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">[root@UnitrendsSystem ~]# grep SecurityAutoUpdate /usr/bp/bpinit/master.ini SecurityAutoUpdate=1 ; =1 auto-update new security rpm if available </pre> <h3 data-id="link-to-advisories"><strong>LINK TO ADVISORIES</strong></h3> <p> </p> <h3 data-id="notes"><strong>NOTES</strong></h3> <p>Unitrends recommends installing security updates <strong><em>only</em></strong> if you are already running the latest Unitrends Recovery OS release. Failing to do so may result in some security updates being skipped due to version compatibility limitations. Please always perform any available UI updated before applying the latest security_updates. <br><br><br><strong>About the Security Updates available to Unitrends Appliances:</strong><br><br>Difference between unitrends-security rpm and the security_updates tarball: </p> <table border="1"><tbody><tr><td colspan="1" rowspan="1">unitrends-security rpm - automatically installed in release 9.2.0 and later to provide all customers with a baseline security configuration. <br>Releases occur infrequently and are tied to the standard release cycle. </td> </tr><tr><td colspan="1" rowspan="1">security_updates tarball - applies any rpms or configuration changes for security issues that may have occurred since the last major release.<br>Updates occur frequently independent of release cycles.</td> </tr></tbody></table><p>Use the Unitrends security_updates tarball if any of the following conditions apply: </p> <table border="1"><tbody><tr><td colspan="1" rowspan="1">resolving a vulnerability more recent than the baseline security rpm</td> </tr><tr><td colspan="1" rowspan="1">no network access to unitrends.com</td> </tr><tr><td colspan="1" rowspan="1">32-bit system</td> </tr></tbody></table><p> </p> <ul><li>If you have release 10.0, or have already applied the security update tarball after June 1, 2017, it then supports performing security updates from the UI Support Toolbox. From the UI, go to <strong>Configure/Edit Appliance/Advanced/Support Toolbox/Security </strong>and click to download and update it. </li> <li>If you have applied security_updates from 01/04/2018 (ver 10.17) or later, it will send an alert to the UI when a new security_update is available. </li> <li>Details about the security updates applied are logged in /var/log/unitrends-security.log.</li> </ul> </article> </main>