A vulnerability is identified in Server Backup Manager which can allow an overwrite of arbitrary files during file restore. Idera thanks [www.rack911.com|http://www.rack911.com/] for bringing this issue to our attention and working closely with us on resolution.
h2. Severity
Idera rates this vulnerability as Medium.
h2. Risk Assessment
A link following weakness was discovered in the Server Backup Manager file restore. If an SBM administrator restores files to a path that is writeable by a non-privileged user, it is possible for that user to replace with a symlink attack to overwrite arbitrary files.
A UNIX symbolic link following weakness was discovered in the Server Backup Agent. A user on the server can exploit this weakness when an SBM administrator restores files to a path writeable by the user.
This issue does not affect hosting control panel self-service file restores.
h2. Risk Mitigation
Users must use one of the following options:
* Immediately upgrade to Server Backup Manager SE 5.6 and Server Backup Agent 5.6 or later.
OR
* SBM backup administrators should not restore files directly to unsecured paths. Instead, restore non-system files to an alternate and secure path, such as owned by root with restricted permissions, and then make the files available to users after the restore is complete.
OR
* Download the user files to a zip/tar and provide that package to the user to unpack, or unpack the files as the target user account via su or sudo \-u.
h2. Vulnerability
Affected versions include:
- Server Backup Manager SE 5.4.3 and earlier
- Server Backup Advanced Edition 5.2.2 and earlier
h2. Fix
{note:title=Upgrade Note: Server Backup Advanced users}
A fix is not yet available for Server Backup Advanced Edition users. These users should use restore to alternate path or download to zip/tar to restore end user files.
{note}
These issues are fixed in [Server Backup 5.6|ServerBackup:Server Backup 5.6.0 Release Notes], which you can download from the customer download portal at [http://repo.r1soft.com]. You must upgrade both the Server Backup Manager and Backup Agent.
h2. Severity
Idera rates this vulnerability as Medium.
h2. Risk Assessment
A link following weakness was discovered in the Server Backup Manager file restore. If an SBM administrator restores files to a path that is writeable by a non-privileged user, it is possible for that user to replace with a symlink attack to overwrite arbitrary files.
A UNIX symbolic link following weakness was discovered in the Server Backup Agent. A user on the server can exploit this weakness when an SBM administrator restores files to a path writeable by the user.
This issue does not affect hosting control panel self-service file restores.
h2. Risk Mitigation
Users must use one of the following options:
* Immediately upgrade to Server Backup Manager SE 5.6 and Server Backup Agent 5.6 or later.
OR
* SBM backup administrators should not restore files directly to unsecured paths. Instead, restore non-system files to an alternate and secure path, such as owned by root with restricted permissions, and then make the files available to users after the restore is complete.
OR
* Download the user files to a zip/tar and provide that package to the user to unpack, or unpack the files as the target user account via su or sudo \-u.
h2. Vulnerability
Affected versions include:
- Server Backup Manager SE 5.4.3 and earlier
- Server Backup Advanced Edition 5.2.2 and earlier
h2. Fix
{note:title=Upgrade Note: Server Backup Advanced users}
A fix is not yet available for Server Backup Advanced Edition users. These users should use restore to alternate path or download to zip/tar to restore end user files.
{note}
These issues are fixed in [Server Backup 5.6|ServerBackup:Server Backup 5.6.0 Release Notes], which you can download from the customer download portal at [http://repo.r1soft.com]. You must upgrade both the Server Backup Manager and Backup Agent.