Ask the Community
Groups
CVE-2018-6329 Unitrends: sqli authentication bypass RCE - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="cve-id"><strong>CVE ID</strong></h3> <p>CVE-2018-6329</p> <h3 data-id="description"><strong>DESCRIPTION</strong></h3> <p>It was discovered that the Unitrends Backup (UB) before 10.1.0 the libbpext.so authentication could be bypassed with an SQL injection, allowing a remote attacker to place a privilege escalation exploit on the target system and subsequently execute arbitrary commands.</p> <h3 data-id="resolution"><strong>RESOLUTION</strong></h3> <p>Resolution is to upgrade to Unitrends release 10.1.0 or later.<br><br><a rel="nofollow" href="https://kaseya.vanillacommunities.com/kb/articles/aliases/unitrends/articles/Article/000006009?q=SELECT+Id%2CDescription__c%2CResolution__c%2CLink_to_Advisories__c%2CNotes__c%2CSummary%2CCVE_ID__c%2CAttachment__Body__s%2CAttachment__ContentType__s%2CAttachment__Length__s%2CAttachment__Name__s%2CTitle%2CKnowledgeArticleId+from+Advisory__kav+where+PublishStatus%3D%27Online%27">How to enable the release 10.1 upgrade</a><br> </p> <h3 data-id="link-to-advisories"><strong>LINK TO ADVISORIES</strong></h3> <p></p> <ul><li><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2018-6329%250D%250Ahttps%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3Dcve-2018-6329">https://nvd.nist.gov/vuln/detail/CVE-2018-6329 https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-6329</a></li></ul><h3 data-id="notes"><strong>NOTES</strong></h3> <p>See UNIBP-16736<br><br>[Discoverer] Benny Husted, Cale Smith, Jared Arave<br> </p> </article> </main>