Commvault Backup and Whatnot

Hi guys

Users of the Commvault’s Edge Server have the chance to view and access their backups from mobile devices – a trick giving access to the webserver.

Version 10 R2 of that server has a security hole: it “deserializes untrusted, user-provided cookie data, resulting in arbitrary OS command execution with the web server’s privileges.” This is not going to happen by accident.

This flaw has not being remediated and the only recommendation provided is “only allow connections from trusted hosts and networks”. This is not practical because one usage scenario for Edge Server is allowing users of mobile devices to access backups. When a device is stolen and before it is reported it will still act as a trusted device. Commvault’s site is currently silent on the matter

The CERT notice of the problem says “A remote, unauthenticated attacker can provide specially crafted cookie data” to corrupt the web server.

Check out its Vulnerability CERT note:


Source: Akati

Comments are closed.