-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matta Consulting - Matta Advisory https://www.trustmatta.com Restorepoint Remote root command execution vulnerability Advisory ID: MATTA-2011-003 CVE reference: CVE-2011-4201 - Code injection vulnerability CVE-2011-4202 - Privilege escalation through insecure file permissions Affected platforms: Tadasoft Restorepoint Version: 3.2-evaluation Date: 2011-October-20 Security risk: Critical Vulnerability: Remote root command execution Researcher: Tavaris Desamito Vendor Status: Notified, Patch available Vulnerability Disclosure Policy: https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: https://www.trustmatta.com/advisories/MATTA-2011-003.txt ===================================================================== Introduction: Restorepoint is a network appliance backup and disaster recovery system from Tadasoft. More information can be found on the following page: http://www.restorepoint.com/restorepoint/ ===================================================================== Vulnerability: The 3.2 evaluation image of Restorepoint is vulnerable to a remote command execution vulnerability in the remote_support.cgi script prior to license activation. By supplying a semi colon followed by a unix shell command to the pid1 or pid2 parameters in conjunction with the stop_remote_support parameter, an unauthenticated remote attacker can execute commands on the Restorepoint appliance with the privileges of the www user. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-4201 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Given that the Restorepoint appliance uses a Linux kernel compiled in 2009, obtaining root access is trivial. Furthermore, Restorepoint uses sudo in order to run a number of scripts with root access. As a large number of these scripts can be modified by the www user, root access can be obtained directly through Restorepoint functionality, without relying on additional exploits. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-4202 to this issue. ===================================================================== Impact: Anyone who is able to connect to Restorepoint on port 443 between powering up the appliance and before the appliance is license activated is able to obtain root level shell access to the appliance. The Restorepoint appliance is used to back up the configurations of network devices and as such, the Restorepoint appliance holds credentials for all the devices it backs up; Which in most cases will be privileged accounts that will allow reconfiguration of the network devices. If someone was able to compromise the security of the Restorepoint appliance in the period between powering up the appliance and before the appliance is license activated, an attacker is then able to go on to compromise the security of all devices backed up by Restorepoint. Having achieved this, an attacker may reposition and begin to compromise the rest of the network by using the Restorepoint appliance to launch further attacks. ===================================================================== Versions affected: Version 3.2 - evaluation image The vendor reports that they maintain different trees for evaluation and licensed copies of their software. The version available to licensed customers is not vulnerable to this issue. Moreover, all appliances including evaluations use a built-in auto-update mechanism upon license activation that downloads additional software components and security updates which ensures their customers are using the latest version of the product. The vendor reports that the evaluation image would have been patched if the evaluation license had been applied. Matta have not confirmed this at this stage. ===================================================================== Threat mitigation: Anyone with evaluation versions of Restorepoint prior to 3.2 should activate the license, at which point the software is automatically updated. Matta suggests that affected parties running this version of the software restrict access to port 443 on their Restorepoint appliances to only allow trusted administrators to connect. The vendor reports that the latest version available evaluation image (3.3) is not vulnerable to this issue. Moreover, the vendor reports that the 3.2 evaluation image would have been patched if an evaluation license was applied. In this case, Matta recommends that users activate their appliance to be able to download the necessary software components and security updates. ===================================================================== Credits This vulnerability was discovered and researched by Tavaris Desamito from Matta Consulting. ===================================================================== History 20-10-11 initial discovery 24-10-11 initial attempt to contact the vendor 24-10-11 vendor response received and draft advisory supplied 25-10-11 vendor feedback received 14-11-11 advisory draft updated ... more interactions with the vendor 04-12-11 advisory draft updated 07-12-11 public disclosure ===================================================================== About Matta Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tiger Scheme training, conducts regular research and is the developer behind the webcheck application scanner, and colossus network scanner. https://www.trustmatta.com https://www.trustmatta.com/webapp_va.html https://www.trustmatta.com/network_va.html https://www.trustmatta.com/training.html ===================================================================== Disclaimer and Copyright Copyright (c) 2011 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. The information provided in this advisory is provided "as is" without warranty of any kind. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJO35HHAAoJEKXMIWKFD6qpSrUH/ApJ7WgGlWPEX6pCQTkG36m/ xTkIaLGCaUyA+mkQ4MmHtBjNvd+rgA8B4V/gXOl4n6Cq2OwpuPhIO4ZFZWlKORiU JMp93glgp96TeozqlR8P+J9zJ+6gJCOtQm74lQkXbd1P914/7PpedOp845/HgA7M RCsvDDJ4WL2BwOeQAnWWeSYnEOuKiJFZbeRPeIm3dLqsDCy9i9hRdBEdZN5433c5 jzBgF4zSuBn/8B5ebpfnQTqojxPeuasJ6Hfa9cCk71pE1hla2bfc5hcv8XjGavug IqxWhYyAiyejQfVESf+FVRdhBr8ypz8IzeBlzImyTWZuowMPtP9yZoEQBc7CHgo= =LnHW -----END PGP SIGNATURE-----