CISA Warns of NAKIVO Backup Flaw Exploited in Attacks with PoC Released

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a serious vulnerability in the NAKIVO Backup and Replication software, known as CVE-2024-48248.

This vulnerability allows attackers to exploit an absolute path traversal flaw, enabling them to read arbitrary files without authentication.

The vulnerability resides in the Director Web Interface of the NAKIVO Backup and Replication solution, specifically in the STPreLoadManagement action through the /c/router endpoint.

By manipulating the file path parameter, attackers can access any file on the system the software is running on. This includes critical system files and backup data, which could lead to unauthorized data exfiltration or other malicious activities.

Impact and Exploitation

Given the nature of the vulnerability, attackers can exploit it to read sensitive information such as system files, database credentials, and backup data.

The NAKIVO software often integrates with cloud environments, virtual infrastructure, and network devices, making the potential impact extensive.

The attackers could use this vulnerability to access AWS keys, SSH credentials, or other privileged information stored by NAKIVO for backup operations.

Proof of Concept (PoC) Demonstrated

A proof-of-concept (PoC) for this vulnerability has been demonstrated. It involves sending a crafted request to the /c/router endpoint with the following payload:

POST /c/router HTTP/1.1

Host: {{Hostname}}

Content-Type: application/json

Connection: keep-alive

Content-Length: 121

{

  "action": "STPreLoadManagement",

  "method": "getImageByPath",

  "data": ["C:/windows/win.ini"],

  "type": "rpc",

  "tid": 3980,

  "sid": ""

}

This request uses the getImageByPath method of the STPreLoadManagement action to read the C:/windows/win.ini file on a Windows system.

Similarly, attackers could use this method to read sensitive files like /etc/shadow on Linux systems.

Mitigation and Vendor Response

NAKIVO has quietly patched the vulnerability in version 11.0.0.88174 and later releases.

The fix prevents directory traversal by ensuring that file paths are sanitized using the FileUtils library, which constructs a safe file path by stripping parent directory references and path manipulation attempts.

In the patched version:

public byte[] getImageByPath(String path) throws IOException {

  String fileName = FilenameUtils.getName(path);

  File targetFile = FileUtils.getFile(new String[] { "userdata", "branding", fileName });

  if (!targetFile.exists() || !targetFile.canRead() || targetFile.isDirectory()) {

    throw new IOException(Lang.get("services.branding.no.file", new Object[0]));

  }

  return FileUtils.readFileToByteArray(targetFile);

}

CISA recommends that users apply vendor-provided patches immediately. If patches are not available, users should consider discontinuing use of the product until a fix is provided.

Additionally, following best practices for securing cloud services, as outlined in Binding Operational Directive (BOD) 22-01, can help mitigate potential risks associated with vulnerabilities like CVE-2024-48248.

The NAKIVO vulnerability highlights the increasing importance of securing backup solutions, particularly in environments where these systems often hold critical data.

As ransomware attacks continue to evolve, ensuring that backup mechanisms are robust and secure is crucial.

Users and organizations must remain vigilant and proactive in addressing vulnerabilities such as CVE-2024-48248 to protect against emerging threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free