what you don't know can hurt you

Vembu Backup / Disaster Recovery 6.1 Follow Up

Vembu Backup / Disaster Recovery 6.1 Follow Up
Posted Aug 6, 2014
Authored by Len Srinivasan

Vembu has responded to multiple vulnerabilities pointed out in their Vembu Backup and Disaster Recovery product.

tags | advisory, vulnerability
MD5 | 0da939216941a6391935e4062d6d8557

Vembu Backup / Disaster Recovery 6.1 Follow Up

Change Mirror Download
The company logically secure has mentioned about multiple vulnerabilities
in Vembu Backup and Disaster Recovery product and we would like to address
those concerns in detail.

We certainly welcome security related feedback on the product as we are
constantly addressing those on a regular basis as we receive feedback from
partners. But the researchers analyzing the product should possess "basic
domain knowledge" on the products that are being reviewed. Based on the
analysis done by Logically Secure team, it seems they lack knowledge on how
the product is actually used in our customer's environment and don't have a
clue about how Backup and Disaster Recovery is actually deployed.

Company Name : Vembu Technologies Inc
Product Name : Vembu Backup and Disaster Recovery
Release Version : 6.1
Website : www.vembu.com

Subject : Addressing Concerns from Logically Secure team

*Concern 1:* The main vulnerability takes advantage of the client enrolment
procedure. In it’s default state it is possible for an unauthenticated
attacker to register a client to a rogue backup server. During this
enrolment phase a new admin user is automatically created on the client
using the attacker specified credentials, the attacker can then bounce
through their rogue server using the cln=<ip/hostname> get parameter which
invokes request forwarding functionality allowing access the remote client
interface.

*Answer: * This whole exploit is possible only when the remote user knows
the username and password for the client web console. While reviewing this
vulnerability, the user used a trial version of our product where we have
the default username / password as admin and admin​, which the users can
of course change while installation. In production version, we encourage
our partners to specify a strong username and password and with that
specified the whole vulnerability mentioned above is not possible.

*​Concern2* : ​
In addition to the above mentioned issue we discovered reflected XSS
vulnerabilities, Source code disclosure via incorrect processing of
trailing slash (eghttp://clientip/index.php/), Denial of Service via
unhandled exceptions in the client, Local privilege escalation, insecure
storage of credentials (MD5), poor mysql implementation (default root user
configured with a simple password), and several others.

*Answer : *Again another concern without understanding the nature of
vulnerability. The source code that is revealed on the client side via
incorrect processing of trailing is the PHP source code which basically
handles the UI of our product. It doesn't even bother the application. In
fact PHP codes gets bundled with the product already and one can open those
codes easily from accessing our PHP folder. The answer is, you cannot do
anything with those codes. You can even view these codes by simply right
clicking and click 'View Source Code'. This is just UI and not the
application. Again the password for MySQL, Storage Credentials (MD5) is all
configurable by the end user when using the product. In order to facilitate
easy evaluation of the software we can used some default values in the
product which can be changed if the user wants.

Our product is flexible and allows users to configure security parameters
before beginning to use the product in production version. If the reviewer
used a trial version of our product with default values and says that the
product is not secure only shows the ignorance of the reviewer.

Our product uses AES - 256 encryption algorithm for encrypting all data on
the client side and it is encryption at transit and at rest. If the
reviewer can break AES - 256 and tell us that this algorithm is vulnerable,
we would be concerned. Otherwise there is not point in being concerned
about our product is being flexible.

Please feel free to contact Vembu for more questions regarding this.

Regards,
Len


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close