NAKIVO Backup & Replication Absolute Path Traversal Vulnerability Allowing Arbitrary File Read

An absolute path traversal vulnerability has been identified in NAKIVO Backup & Replication versions prior to 11.0.0.88174. The issue allows unauthenticated users to read arbitrary files by exploiting the 'getImageByPath' method in the 'STPreLoadManagement' action, accessed through the '/c/router' endpoint. This vulnerability could lead to remote code execution across the enterprise, as the 'PhysicalDiscovery' action contains cleartext credentials.

Impact

Exploitation of this vulnerability allows for arbitrary file read, with potential access to sensitive information such as application logs and backup files. According to the watchTowr Labs blog, this vulnerability could be leveraged to access cleartext credentials stored by the NAKIVO application, which could then be used to authenticate as a legitimate user and access integrated environments.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/c/router' endpoint with the 'STPreLoadManagement' action and the 'getImageByPath' method. The 'data' parameter must include the absolute path of the file to be read, such as 'C:/windows/win.ini'. The request can be made using a tool like Python's 'requests' library or through a command-line utility that supports HTTP POST requests.

Remediation

Users are advised to update to NAKIVO Backup & Replication version 11.0.0.88174 or later, where this vulnerability has been fixed.