Cohesity TranZman Migration Appliance Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. The issue arises from incorrect access control in the TapeDumper component, located at /opt/SRLtzm/bin/TapeDumper. This vulnerability allows authenticated attackers to escalate privileges to root and read or write arbitrary files on the system. The root cause includes an overly permissive sudo configuration that grants the admin user passwordless access to the TapeDumper binary, which can manipulate any file as a tape device, enabling unrestricted file operations as root.

Impact

Exploitation of this vulnerability leads to unauthorized root access, allowing attackers to read and write any file on the system, create backdoor accounts, and potentially compromise the entire TranZman appliance.

Reproduction

The vulnerability can be reproduced by first exploiting a command injection flaw in the CLISH shell to gain unauthorized shell access. Once in the shell, a writable staging file can be created. The TapeDumper tool can then be launched with sudo privileges, using the 'open' command to read sensitive files like '/etc/passwd' and the 'dump' command to write data to the staging file. After appending a passwordless root user entry to the staging file, TapeDumper can be used again to overwrite '/etc/passwd' with the staged file contents, effectively creating a new root user. Finally, the new user can be activated by switching users via the 'su' command.

Remediation

Cohesity has released patches for this vulnerability. Users should apply the patches in the following order: 'TZM_patch_1.patch' followed by 'TZM_1760106063_OCT2025R2_FULL.depot'. For the latest OVA version with integrated fixes, contact Cohesity support.