Dell Avamar, Access Token Reuse Vulnerability, CVE-2025-21117 (Critical)

By /

CVE-2025-21117 is a critical vulnerability in Dell Avamar version 19.4 and later, where the Avamar User Interface (AUI) fails to properly invalidate access tokens after session termination. This allows a low-privileged local attacker to reuse stale tokens for authentication bypass. The flaw occurs due to improper session management in the token validation mechanism, where tokens remain active even after logout or system timeout. Attackers can harvest these tokens from memory or temporary storage and reuse them to impersonate legitimate users, potentially gaining elevated privileges. The vulnerability stems from insufficient cryptographic binding between tokens and session states.

DailyCVE Form:

Platform: Dell Avamar
Version: 19.4+
Vulnerability: Token Reuse
Severity: Critical
Date: 03/28/2025

What Undercode Say:

Analytics:

  • Attack Vector: Local
  • Exploitability: High (low privileges required)
  • Impact: Full user impersonation
  • Patch Status: Vendor update pending

Exploitation Commands:

1. Extract tokens from memory:

grep -r "aui_token" /proc//mem

2. Reuse token via API:

curl -H "Authorization: Bearer <STOLEN_TOKEN>" https://avamar-server/api/admin

Mitigation Steps:

1. Apply temporary workaround:

sudo systemctl restart avamar-authd

2. Enforce token expiration (add to config):

[bash]
token_lifetime=3600
enforce_one_time_use=true

Detection Script:

import requests
def check_token_reuse(url, token):
response = requests.get(url, headers={"Authorization": f"Bearer {token}"})
return response.status_code == 200

Permanent Fix:

  • Upgrade to patched version (when released)
  • Implement HMAC token validation
  • Enable session binding to IP/MAC

Log Monitoring:

SELECT FROM auth_logs WHERE event_type="token_reuse"

Network Controls:

  • Block local token reuse attempts
  • Rate-limit auth requests
  • Enable MFA for admin roles

Forensic Artifacts:

  • /var/log/avamar/auth.log
  • Kernel memory dump
  • AUI session cache

Threat Hunting:

  • Multiple sessions with identical tokens
  • Unusual local process accessing auth files
  • Token usage post-logout events

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-21117
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top