The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has issued a warning a couple of severe vulnerability within the NAKIVO Backup and Replication software program, often known as CVE-2024-48248.
This vulnerability permits attackers to use an absolute path traversal flaw, enabling them to learn arbitrary information with out authentication.
The vulnerability resides within the Director Internet Interface of the NAKIVO Backup and Replication resolution, particularly within the STPreLoadManagement motion via the /c/router endpoint.
By manipulating the file path parameter, attackers can entry any file on the system the software program is working on. This consists of important system information and backup knowledge, which might result in unauthorized knowledge exfiltration or different malicious actions.
Affect and Exploitation
Given the character of the vulnerability, attackers can exploit it to learn delicate info akin to system information, database credentials, and backup knowledge.
The NAKIVO software program typically integrates with cloud environments, digital infrastructure, and community units, making the potential influence intensive.
The attackers might use this vulnerability to entry AWS keys, SSH credentials, or different privileged info saved by NAKIVO for backup operations.
Proof of Idea (PoC) Demonstrated
A proof-of-concept (PoC) for this vulnerability has been demonstrated. It entails sending a crafted request to the /c/router endpoint with the next payload:
POST /c/router HTTP/1.1
Host: {{Hostname}}
Content material-Kind: software/json
Connection: keep-alive
Content material-Size: 121
{
"motion": "STPreLoadManagement",
"methodology": "getImageByPath",
"knowledge": ["C:/windows/win.ini"],
"sort": "rpc",
"tid": 3980,
"sid": ""
}This request makes use of the getImageByPath methodology of the STPreLoadManagement motion to learn the C:/home windows/win.ini file on a Home windows system.
Equally, attackers might use this methodology to learn delicate information like /and many others/shadow on Linux methods.
Mitigation and Vendor Response
NAKIVO has quietly patched the vulnerability in model 11.0.0.88174 and later releases.
The repair prevents listing traversal by guaranteeing that file paths are sanitized utilizing the FileUtils library, which constructs a secure file path by stripping mother or father listing references and path manipulation makes an attempt.
Within the patched model:
public byte[] getImageByPath(String path) throws IOException {
String fileName = FilenameUtils.getName(path);
File targetFile = FileUtils.getFile(new String[] { "userdata", "branding", fileName });
if (!targetFile.exists() || !targetFile.canRead() || targetFile.isDirectory()) {
throw new IOException(Lang.get("companies.branding.no.file", new Object[0]));
}
return FileUtils.readFileToByteArray(targetFile);
}CISA recommends that customers apply vendor-provided patches instantly. If patches usually are not accessible, customers ought to think about discontinuing use of the product till a repair is offered.
Moreover, following greatest practices for securing cloud companies, as outlined in Binding Operational Directive (BOD) 22-01, can assist mitigate potential dangers related to vulnerabilities like CVE-2024-48248.
The NAKIVO vulnerability highlights the growing significance of securing backup options, significantly in environments the place these methods typically maintain important knowledge.
As ransomware assaults proceed to evolve, guaranteeing that backup mechanisms are strong and safe is essential.
Customers and organizations should stay vigilant and proactive in addressing vulnerabilities akin to CVE-2024-48248 to guard in opposition to rising threats.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup - Attempt for Free