Comet Backup Remote Code Execution Vulnerability via Branding Configuration

A remote code execution vulnerability has been identified in Comet Backup server versions prior to 26.4.3 and 26.5.0. This vulnerability arises from inadequate character filtering in the backup agent signing module, allowing authenticated tenant administrators with branding permissions to execute arbitrary code on behalf of a privileged user. The exploitation involves uploading malicious .dll or .so files as code-signing executables within the branding configuration, which are then executed when a backup-tool client is generated.

Impact

Exploitation of this vulnerability allows for remote code execution on the Comet Backup server, executed through the 'cometd' user, and extends to connected devices with the backup tool installed. This access bypasses tenancy boundaries, granting full access to the user's configuration files and backed-up data from remote devices. Additionally, it allows for manipulation of the Comet Server installation, including stopping, replacing, or removing it.

Remediation

Comet Backup has been upgraded on hosted servers, requiring no action from Comet Hosted administrators. For self-hosted instances, Comet Backup should be updated to version 26.4.3, 26.5.0 or higher.