CISA Warns of NAKIVO Backup Vulnerability Exploited in Attacks – PoC Released
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
CISA has issued an urgent warning regarding a critical vulnerability in NAKIVO Backup and Replication solutions. As reports of active exploitation emerge, organizations are urged to patch immediately.
The vulnerability, tracked as CVE-2024-48248, allows unauthenticated attackers to read arbitrary files from systems running vulnerable versions of the software.
In NAKIVO Backup and Replication version 10.11.3.86570 and earlier, the flaw is classified as an absolute path traversal vulnerability (CWE-36).
NAKIVO Backup Vulnerability
Security firm watchTowr Labs discovered this vulnerability in September 2024, but NAKIVO reportedly patched it without publishing an advisory.
“This unauthenticated arbitrary file read vulnerability essentially provides attackers with the ability to access any file on the target system, including critical configuration files and credentials,” explained security researchers at watchTowr Labs.
The vulnerability specifically involves the STPreLoadManagement action and getImageByPath method in the NAKIVO software.
This request returns the content of the specified file encoded as an array of decimal ASCII values, allowing attackers to read sensitive system files.
Risk Factors Details Affected ProductsNAKIVO Backup & Replication versions 10.11.3.86570 and earlierImpactArbitrary file read, Exposure of sensitive data, Remote code executionExploit PrerequisitesNetwork access to the NAKIVO Backup & Replication application. Ability to send HTTP POST requests to the /c/router endpointCVSS 3.1 Score8.6 (High)
CISA’s warning emphasizes that this vulnerability poses a significant risk to organizations as it potentially exposes critical backup infrastructure.
While it is currently unknown whether this vulnerability is being used in ransomware campaigns, backup solutions have increasingly become targets for attackers seeking to disable recovery options.
“As we’ve seen in numerous incidents, ransomware gangs tend to prefer situations in which they get paid and typically go that extra mile to ensure their victims can’t simply roll their systems back, including nuking and destroying any in-place backup mechanisms,” noted watchTowr researchers.
The vulnerability can be leveraged to extract database credentials, AWS keys, SSH credentials, and other sensitive information used by the backup solution to connect to various systems.
Mitigations
CISA has issued the following guidance for organizations using NAKIVO Backup and Replication:
In the patched version, NAKIVO addressed the vulnerability by implementing proper input validation:
This code prevents directory traversal by extracting only the filename portion and constructing a new file path in a controlled manner.
Proof of Concept Released
This exploit code demonstrates how an attacker could exploit the arbitrary file read vulnerability in NAKIVO Backup & Replication versions before 11.0.0.88174.
The script sends a crafted POST request to the /c/router endpoint, utilizing the STPreLoadManagement action and getImageByPath method to read arbitrary files on the target system.
Hence, to defend against new threats, users and organizations need to be proactive and stay vigilant in fixing vulnerabilities such as CVE-2024-48248.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
CISA Warns of NAKIVO Backup Vulnerability Exploited in Attacks – PoC Released
Author: KaaviyaCISA has issued an urgent warning regarding a critical vulnerability in NAKIVO Backup and Replication solutions. As reports of active exploitation emerge, organizations are urged to patch immediately.
The vulnerability, tracked as CVE-2024-48248, allows unauthenticated attackers to read arbitrary files from systems running vulnerable versions of the software.
In NAKIVO Backup and Replication version 10.11.3.86570 and earlier, the flaw is classified as an absolute path traversal vulnerability (CWE-36).
NAKIVO Backup Vulnerability
Security firm watchTowr Labs discovered this vulnerability in September 2024, but NAKIVO reportedly patched it without publishing an advisory.
“This unauthenticated arbitrary file read vulnerability essentially provides attackers with the ability to access any file on the target system, including critical configuration files and credentials,” explained security researchers at watchTowr Labs.
The vulnerability specifically involves the STPreLoadManagement action and getImageByPath method in the NAKIVO software.
This request returns the content of the specified file encoded as an array of decimal ASCII values, allowing attackers to read sensitive system files.
Risk Factors Details Affected ProductsNAKIVO Backup & Replication versions 10.11.3.86570 and earlierImpactArbitrary file read, Exposure of sensitive data, Remote code executionExploit PrerequisitesNetwork access to the NAKIVO Backup & Replication application. Ability to send HTTP POST requests to the /c/router endpointCVSS 3.1 Score8.6 (High)
CISA’s warning emphasizes that this vulnerability poses a significant risk to organizations as it potentially exposes critical backup infrastructure.
While it is currently unknown whether this vulnerability is being used in ransomware campaigns, backup solutions have increasingly become targets for attackers seeking to disable recovery options.
“As we’ve seen in numerous incidents, ransomware gangs tend to prefer situations in which they get paid and typically go that extra mile to ensure their victims can’t simply roll their systems back, including nuking and destroying any in-place backup mechanisms,” noted watchTowr researchers.
The vulnerability can be leveraged to extract database credentials, AWS keys, SSH credentials, and other sensitive information used by the backup solution to connect to various systems.
Mitigations
CISA has issued the following guidance for organizations using NAKIVO Backup and Replication:
- Immediately update to version 11.0.0.88174 or later, which contains the patch for this vulnerability
- Apply vendor-provided mitigations
- Follow applicable BOD 22-01 guidance for cloud services
- Discontinue use of the product if mitigations are unavailable
In the patched version, NAKIVO addressed the vulnerability by implementing proper input validation:
This code prevents directory traversal by extracting only the filename portion and constructing a new file path in a controlled manner.
Proof of Concept Released
This exploit code demonstrates how an attacker could exploit the arbitrary file read vulnerability in NAKIVO Backup & Replication versions before 11.0.0.88174.
The script sends a crafted POST request to the /c/router endpoint, utilizing the STPreLoadManagement action and getImageByPath method to read arbitrary files on the target system.
Hence, to defend against new threats, users and organizations need to be proactive and stay vigilant in fixing vulnerabilities such as CVE-2024-48248.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
