DIVD-2020-00011 - Four critical vulnerabilities in Vembu BDR

Our reference DIVD-2020-00011
Case lead Wietse Boonstra
Author Frank Breedijk
Researcher(s)
CVE(s)
Products
  • 360DR
  • BackSpace
  • BackupService
  • BackupSolution
  • BaltnetaOnlineBackup
  • ClearPointBackup
  • CloudBackup
  • CloudBasedBackup
  • CloudStor
  • CloudStore
  • CtrlSDataAssurance
  • DataAddicts
  • DataBackup
  • DataCrib
  • DataVault
  • DBS
  • EclipseBaaS
  • EnklareBackup
  • FastBackup
  • Guardian
  • HotlinkBackup
  • IronVault
  • iwksbackup
  • Level365OnlineBackup
  • LocalTel_RDS
  • MBCBackup
  • Netbackup
  • NetrepidHostedBackups
  • OffsiteVAULT
  • OnlineBackup_Client
  • OnyxSync
  • Opusbackup
  • P2VOnlineBackup
  • ProdigyBackup
  • QloudwiseBackup
  • RAKVault
  • ReflexBackups
  • RemoteDataRecovery
  • saf-gate
  • SamcoStor
  • SM4Store
  • StoreGrid
  • StoreSafeDC
  • StorNet
  • STPOffsite
  • Syntax
  • TBITBackup
  • TechNetBackup
  • TheDataVault
  • TitanBackup
  • TruStor
  • UndergroundBackups
  • VELOCIsecure
  • VembuBDR
  • VembuOffsiteDR
  • WrightOnline
  • XpressSTOR
  • ZipData
  • Other products or versions of products in this family may be affected too.
Versions
  • 360DR v4.4.0.0
  • BackSpace v4.5.0
  • BackupService v5.2.0
  • BackupSolution v4.4.0.0
  • BaltnetaOnlineBackup v4.1.0
  • ClearPointBackup v4.4.0.0
  • CloudBackup v4.4.0.0
  • CloudBasedBackup v4.4.0
  • CloudStor v4.4.0.0
  • CloudStore v4.4.0.0
  • CtrlSDataAssurance v4.5.0
  • CtrlSDataAssurance v4.4.2
  • CtrlSDataAssurance v4.4.0.0
  • CtrlSDataAssurance v4.4.0
  • CtrlSDataAssurance v4.2.0.0
  • CtrlSDataAssurance v4.2.0
  • CtrlSDataAssurance v3.5.0.0
  • DataAddicts v4.4.0.0
  • DataBackup v4.3.0
  • DataCrib v5.2.0
  • DataVault v5.1.0
  • DBS v4.4.0.0
  • EclipseBaaS v4.4.0.0
  • EnklareBackup v5.1.0
  • FastBackup v4.4.0.0
  • Guardian v5.1.0
  • Guardian v4.4.0.0
  • Guardian v4.4.0
  • HotlinkBackup v4.4.0
  • IronVault v4.4.0.0
  • iwksbackup v5.0.0
  • Level365OnlineBackup v4.4.0.0
  • LocalTel_RDS v4.4.0.0
  • MBCBackup v4.4.0.0
  • Netbackup v5.2.0
  • NetrepidHostedBackups v4.4.1
  • OffsiteVAULT v4.4.0.0
  • OnlineBackup_Client v5.1.0
  • OnlineBackup_Client v4.4.0.0
  • OnlineBackup_Client v4.4.0
  • OnyxSync v4.4.0.0
  • Opusbackup v4.4.0.0
  • P2VOnlineBackup v4.4.0.0
  • ProdigyBackup v4.4.0.0
  • QloudwiseBackup v4.4.2
  • RAKVault v4.4.0.0
  • ReflexBackups v4.4.0.0
  • RemoteDataRecovery v5.1.0
  • saf-gate v4.4.0.0
  • SamcoStor v5.0.0
  • SM4Store v4.4.0.0
  • StoreGrid v5.2.0
  • StoreGrid v5.1.0
  • Storegrid v5.1.0
  • StoreGrid v5.0.0
  • StoreGrid v4.5.0
  • StoreGrid v4.4.1.0
  • StoreGrid v4.4.1
  • StoreGrid v4.4.0.0
  • StoreGrid v4.4.0
  • StoreGrid v4.2.1.0
  • StoreGrid v4.2.1
  • StoreGrid v4.0.0.0
  • StoreGrid v3.5.0.0
  • StoreGrid v3.1.0.0
  • StoreSafeDC v4.4.0.0
  • StorNet v5.0.0
  • StorNet v4.4.0
  • STPOffsite v4.4.0.0
  • Syntax v4.4.0.0
  • TBITBackup v5.1.0
  • TechNetBackup v4.4.0.0
  • TheDataVault v4.5.0
  • TitanBackup v5.2.0
  • TitanBackup v5.1.0
  • TruStor v4.4.0.0
  • TruStor v3.5.0.0
  • UndergroundBackups v4.4.0.0
  • VELOCIsecure v4.4.0.0
  • VembuBDR v6.1.0.0
  • VembuBDR v4.2.0.1
  • VembuBDR v4.2.0
  • VembuBDR v4.1.0
  • VembuBDR v4.0.2
  • VembuBDR v4.0.1
  • VembuBDR v4.0.0
  • VembuBDR v3.9.1 Update1
  • VembuBDR v3.9.0 Update1
  • VembuBDR v3.9.0
  • VembuBDR v3.8.0
  • VembuBDR v3.7.0
  • VembuBDR v3.5.0.0
  • VembuOffsiteDR v4.2.0.1
  • VembuOffsiteDR v4.2.0
  • WrightOnline v4.4.0.0
  • XpressSTOR v4.4.0.0
  • ZipData v4.4.0.0
  • Other products or versions of products in this family may be affected too.
Recommendation Update Vembu DBR to at least 4.2.0 update 2 and limit it's exposure (don't expose to public internet) For other products we have not been informed of the availability of patches, it is highly recommended to not expose these products to public internet.
Patch status Some patches available
Status Closed
Last modified 23 Nov 2022 21:04 CET

English below

Samenvatting

DIVD Onderzoeker Wietse Boonstra heeft vier ernstige kwetsbaarheden in Vembu BDR Suite ontdekt.

Deze vier kwetsbaarheden zijn:

Via een of meer van deze kwetsbaarheden is het voor een aanvaller mogelijk een kewetbaar Vembu BDR systeem over te nemen en toegang te krijgen tot data die via Vembu BDR wordt gebackuped.

De wolledige details van deze kwetsbaarheden zijn eerder overgedragen aan Vembu die deze kwetsbaarheden in Vembu BDR 4.2.0 update 2 hebben verholpen. Op 1 juni zijn we van plan de volledige details van deze CVEs vrij te geven.

De Server Side Request Forgecy (CVE-2021-26474) komt ook voor in veel andere producten van Vembu.

Wat kunt u doen?

Indien u gebruik maar van Vembu BDR zorg dan dat u minstens versie 4.2.0 update 2 heeft geinstalleerd. Al u nog niet heeft geupdated, of niet kan updaten, zorg dan dat het systeem is voorzien van additionele toegangsbeveiliging zoals een VPN of access gateway.

Daarnaast kun u gebruik maken van nmap en de NSE scripts op onze Vembu GitHub repository om kwetsbare installates in uw netwerk op te sporen.

Wat doen wij?

De afgelopen maanden hebben we samengewerkt met Vembu om te zorgen dat er pataches beschikbaar zijn. Voor de publicatie van deze case en het vrijgeven van de details hebben we de hele IPv4 space gescand om kwetsbare Vembu BDR instances te vinden en kort na de publicatie zllen we waarschuwing versturen aan de “Abuse” adressen van de netwerken waar deze instances staan.

Timeline

Date Description
26-10-2020 Wietse Boonstra ontdekt deze vier kwetsbaarheden
2-11-2020 Eerste poging deze kwetsbaarheden aan te kaarten bij Vembu BDR
11-11-2020 Ons initiele ticket wordt door Vembu gesloten
1-2-2021 CVE iditificatoren gereserveerd
11-2-2021 Nieuwe poging tot contact met Vembu
22-3-2021 Vembu bevestigd ontvangst van ons rapport en geeft aan dat deze problemen reeds opgelost zijn in hun “bi-weekly builds”.
31-3-2021 Vembu update hun images op Docker Hub naar images waarin deze kwetsbaarheden gefixt zijn
2-4-2021 Vembu zet geupdate software of hun download pagine
30-4-2021 ZMap scan naar servers die op poort 6060 luisten van 0.0.0.0/0
2-5-2021 Eerste scan naar kwetsbare systemen
15-5-2021 Gelimiteerde publicatie van deze kwetsbaarheden
1-6-2021 Geplande datum voor full disclosure
25-8-2021 Full disclosure van CVE-2021-26471, CVE-2021-26472 en CVE-2021-26473
gantt title DIVD-2020-00011 - Four critical vulnerabilities in Vembu BDR dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2020-00011 - Four critical vulnerabilities in Vembu BDR (197 days) :2020-10-26, 2021-05-11 section Events Initial discovery of the vulnerabilities by Wietse Boonstra : milestone, 2020-10-26, 0d First attempt to notify Vembu of these security issues : milestone, 2020-11-02, 0d Initial ticket closed by Vembu without feedback : milestone, 2020-11-11, 0d CVE reserved for the four vulnerabilities : milestone, 2021-02-01, 0d Renewed attempt to contact Vembu : milestone, 2021-02-11, 0d Time to acknowledge (149 days) : 2020-11-02, 2021-03-31 Vembu acknowledges receipt of vulnerability report and indicates that the problems have been resolved in their “bi-weekly” builds. : milestone, 2021-03-22, 0d Vembu updates the images on Docker Hub to images that include the fix for these vulnerabilities : milestone, 2021-03-31, 0d Time to fix (151 days) : 2020-11-02, 2021-04-02 Vembu updates their download page with a non-vulnerable version : milestone, 2021-04-02, 0d ZMap scan of services listening on port 6060 of 0.0.0.0/0 : milestone, 2021-04-30, 0d First scan for vulnerable hosts using nse scripts : milestone, 2021-05-02, 0d Time to fix (190 days) : 2020-11-02, 2021-05-11 Public disclosure of these vulnerabilities : milestone, 2021-05-11, 0d Planned date for full disclosure : milestone, 2021-06-01, 0d

Meer informatie

English

Summary

DIVD Researcher Wietse Boonstra has discovered four critical vulnerabilities in Vembu BDR Suite

These four vulnerabilities are:

An attacker could, by using one or more of these vulnerabilities completely take over a vulnerable Vembu BDR system they have access to and gain access to the data that is back up using Vembu BDR.

The full details of these vulnerabilities have been previously disclosed to Vembu and have been addressed in Vembu DBR version 4.2.0 update 2. We plan to do a full disclosure of these vulnerabilities on 1 June.

The Server Side Request Forgecy (CVE-2021-26474) is also present in lots of other Vembu products.

What you can do

If you are using Vembu BDR make sure that you are using at least version 4.2.0 update 2. If you have not yet updated or cannot update, make sure that system is protect with additional access security measures like a VPN or access gateway.

Additionally you can use nmap and the NSE scripts on our Vembu GitHub repository to scan you own network for exposed Vembu systems.

What we are doing

Over the past months we have been working with Vembu to make sure patches are available. Prior to the publication of this case we have scanned the entire IPv4 space for publicly accessible vulnerable Vembu BDR instances and shortly after this publication we have sent notification to the abuse addresses of these networks.

Timeline

Date Description
26 Oct 2020 Initial discovery of the vulnerabilities by Wietse Boonstra
02 Nov 2020 First attempt to notify Vembu of these security issues
11 Nov 2020 Initial ticket closed by Vembu without feedback
01 Feb 2021 CVE reserved for the four vulnerabilities
11 Feb 2021 Renewed attempt to contact Vembu
02 Nov 2020-
31 Mar 2021		 Time to acknowledge
22 Mar 2021 Vembu acknowledges receipt of vulnerability report and indicates that the problems have been resolved in their “bi-weekly” builds.
31 Mar 2021 Vembu updates the images on Docker Hub to images that include the fix for these vulnerabilities
02 Nov 2020-
02 Apr 2021		 Time to fix
02 Apr 2021 Vembu updates their download page with a non-vulnerable version
30 Apr 2021 ZMap scan of services listening on port 6060 of 0.0.0.0/0
02 May 2021 First scan for vulnerable hosts using nse scripts
02 Nov 2020-
11 May 2021		 Time to fix
11 May 2021 Public disclosure of these vulnerabilities
01 Jun 2021 Planned date for full disclosure
gantt title DIVD-2020-00011 - Four critical vulnerabilities in Vembu BDR dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2020-00011 - Four critical vulnerabilities in Vembu BDR (197 days) :2020-10-26, 2021-05-11 section Events Initial discovery of the vulnerabilities by Wietse Boonstra : milestone, 2020-10-26, 0d First attempt to notify Vembu of these security issues : milestone, 2020-11-02, 0d Initial ticket closed by Vembu without feedback : milestone, 2020-11-11, 0d CVE reserved for the four vulnerabilities : milestone, 2021-02-01, 0d Renewed attempt to contact Vembu : milestone, 2021-02-11, 0d Time to acknowledge (149 days) : 2020-11-02, 2021-03-31 Vembu acknowledges receipt of vulnerability report and indicates that the problems have been resolved in their “bi-weekly” builds. : milestone, 2021-03-22, 0d Vembu updates the images on Docker Hub to images that include the fix for these vulnerabilities : milestone, 2021-03-31, 0d Time to fix (151 days) : 2020-11-02, 2021-04-02 Vembu updates their download page with a non-vulnerable version : milestone, 2021-04-02, 0d ZMap scan of services listening on port 6060 of 0.0.0.0/0 : milestone, 2021-04-30, 0d First scan for vulnerable hosts using nse scripts : milestone, 2021-05-02, 0d Time to fix (190 days) : 2020-11-02, 2021-05-11 Public disclosure of these vulnerabilities : milestone, 2021-05-11, 0d Planned date for full disclosure : milestone, 2021-06-01, 0d

More information