Report DIVD-2020-00011 - Vembu BDR
Written on 01 Aug 2021 by Gerard Janssen
Case lead:
Wietse Boonstra
Researchers:
Wietse Boonstra
,
Frank Breedijk
,
Victor Gevers
,
Lennaert Oudshoorn
Case file: DIVD-2020-00011
DIVD researcher Wietse Boonstra found four zero-day vulnerabilities in Vembu BDR Suite, software that helps companies to make backups and ‘disaster recovery’. An attacker can take over a vulnerable Vembu BDR system and gain access to the stored data via one or more of these vulnerabilities. None of the vulnerabilities have been published yet.
During a pentest in October 2020, Boonstra found that via commands in the web browser it was possible to break into the Vembu system of one of Boonstra’s customers. A vulnerability in this type of software is serious. This kind of backup and recovery software by definition has a deep impact on the system. Vembu’s customers are both small companies and large organizations. According to its own Vembu site, NASA, Samsung, Fujitsu, and Epic Games are using the Vembu BDR Suite.
Boonstra found four vulnerabilities. Three of these (CVE-2021-26471,2,3) are remote code execution (RCE) vulnerabilities, which are often considered to be the most serious vulnerabilities. The fourth vulnerability is a Server-side request forgery (SSRF, CVE-2021-26474), which makes it possible to bypass access control to a system.
Boonstra reported the leaks at Vembu, but initially received no response. The DIVD did manage to get in touch with Vembu through other channels in mid-February. Vembu replied that the vulnerabilities were already known and fixed in the latest versions of the software. However, customers only got an update when they actively asked for it. After some urging from the DIVD, the patched version came online in April.
Further research has shown that these vulnerabilities are also present in other products created by Vembu. The Server Side Request Forgery is present in a lot of their products.
| Date | Event |
|---|---|
| Januari 2020 | Boonstra tries to contact Vembu, but is blocked. |
| October 26, 2020 | DIVD researcher Wietse Boonstra discovers four vulnerabilities in Vembu BDR software |
| November 2, 2020 | First attempt to contact Vembu BDR. |
| November 11, 2020 | Ticket is closed by Vembu. |
| February 1, 2021 | CVE indicators reserved. |
| February 11, 2021 | New attempt to contact Vembu. |
| March 22, 2021 | Vembu acknowledges receipt of our report and indicates that these issues have already been resolved in their bi-weekly builds. |
| March 31, 2021 | Vembu updates their images on Docker Hub to images with these vulnerabilities fixed. |
| April 2, 2021 | Vembu puts updated software on their download page |
| April 30, 2021 | ZMap scan for servers listening on port 6060 |
| May 2, 2021 | First scan for vulnerable systems |
| May 15, 2021 | Limited publication of these vulnerabilities. |
| June 1, 2021 | Planned date for full disclosure. |
| August 25, 2021 | Full disclosure of CVE-2021-26471, CVE-2021-26472 and CVE-2021-26473 |
- CVE-2021-26471 - unauthenticated RCE
- CVE-2021-26472 - unauthenticated RCE with SYSTEM privileges
- CVE-2021-26473 - unauthenticated arbitrary file upload and RCE