A vulnerability is identified in Server Backup Manager which can allow an overwrite of arbitrary files during file restore. Idera thanks www.rack911.com for bringing this issue to our attention and working closely with us on resolution.
Idera rates this vulnerability as Medium.
A link following weakness was discovered in the Server Backup Manager file restore. If an SBM administrator restores files to a path that is writeable by a non-privileged user, it is possible for that user to replace with a symlink attack to overwrite arbitrary files.
A UNIX symbolic link following weakness was discovered in the Server Backup Agent. A user on the server can exploit this weakness when an SBM administrator restores files to a path writeable by the user.
This issue does not affect hosting control panel self-service file restores.
Users must use one of the following options:
- Immediately upgrade to Server Backup Manager SE 5.6 and Server Backup Agent 5.6 or later.
- SBM backup administrators should not restore files directly to unsecured paths. Instead, restore non-system files to an alternate and secure path, such as owned by root with restricted permissions, and then make the files available to users after the restore is complete.
- Download the user files to a zip/tar and provide that package to the user to unpack, or unpack the files as the target user account via su or sudo -u.
Affected versions include:
- Server Backup Manager SE 5.4.3 and earlier
- Server Backup Advanced Edition 5.2.2 and earlier
|Upgrade Note: Server Backup Advanced users|
A fix is not yet available for Server Backup Advanced Edition users. These users should use restore to alternate path or download to zip/tar to restore end user files.
These issues are fixed in Server Backup 5.6, which you can download from the customer download portal at http://repo.r1soft.com. You must upgrade both the Server Backup Manager and Backup Agent.