exploit the possibilities

Vembu Backup / Disaster Recovery 6.1 Follow Up

Vembu Backup / Disaster Recovery 6.1 Follow Up
Posted Aug 6, 2014
Authored by Len Srinivasan

Vembu has responded to multiple vulnerabilities pointed out in their Vembu Backup and Disaster Recovery product.

tags | advisory, vulnerability
MD5 | 0da939216941a6391935e4062d6d8557

Vembu Backup / Disaster Recovery 6.1 Follow Up

Change Mirror Download
The company logically secure has mentioned about multiple vulnerabilities
in Vembu Backup and Disaster Recovery product and we would like to address
those concerns in detail.

We certainly welcome security related feedback on the product as we are
constantly addressing those on a regular basis as we receive feedback from
partners. But the researchers analyzing the product should possess "basic
domain knowledge" on the products that are being reviewed. Based on the
analysis done by Logically Secure team, it seems they lack knowledge on how
the product is actually used in our customer's environment and don't have a
clue about how Backup and Disaster Recovery is actually deployed.

Company Name : Vembu Technologies Inc
Product Name : Vembu Backup and Disaster Recovery
Release Version : 6.1
Website : www.vembu.com

Subject : Addressing Concerns from Logically Secure team

*Concern 1:* The main vulnerability takes advantage of the client enrolment
procedure. In it’s default state it is possible for an unauthenticated
attacker to register a client to a rogue backup server. During this
enrolment phase a new admin user is automatically created on the client
using the attacker specified credentials, the attacker can then bounce
through their rogue server using the cln=<ip/hostname> get parameter which
invokes request forwarding functionality allowing access the remote client
interface.

*Answer: * This whole exploit is possible only when the remote user knows
the username and password for the client web console. While reviewing this
vulnerability, the user used a trial version of our product where we have
the default username / password as admin and admin​, which the users can
of course change while installation. In production version, we encourage
our partners to specify a strong username and password and with that
specified the whole vulnerability mentioned above is not possible.

*​Concern2* : ​
In addition to the above mentioned issue we discovered reflected XSS
vulnerabilities, Source code disclosure via incorrect processing of
trailing slash (eghttp://clientip/index.php/), Denial of Service via
unhandled exceptions in the client, Local privilege escalation, insecure
storage of credentials (MD5), poor mysql implementation (default root user
configured with a simple password), and several others.

*Answer : *Again another concern without understanding the nature of
vulnerability. The source code that is revealed on the client side via
incorrect processing of trailing is the PHP source code which basically
handles the UI of our product. It doesn't even bother the application. In
fact PHP codes gets bundled with the product already and one can open those
codes easily from accessing our PHP folder. The answer is, you cannot do
anything with those codes. You can even view these codes by simply right
clicking and click 'View Source Code'. This is just UI and not the
application. Again the password for MySQL, Storage Credentials (MD5) is all
configurable by the end user when using the product. In order to facilitate
easy evaluation of the software we can used some default values in the
product which can be changed if the user wants.

Our product is flexible and allows users to configure security parameters
before beginning to use the product in production version. If the reviewer
used a trial version of our product with default values and says that the
product is not secure only shows the ignorance of the reviewer.

Our product uses AES - 256 encryption algorithm for encrypting all data on
the client side and it is encryption at transit and at rest. If the
reviewer can break AES - 256 and tell us that this algorithm is vulnerable,
we would be concerned. Otherwise there is not point in being concerned
about our product is being flexible.

Please feel free to contact Vembu for more questions regarding this.

Regards,
Len


Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close