Enter Software Iperius Backup NTLMv2 Credential Exposure Vulnerability

A vulnerability allowing NTLMv2 credential exposure has been identified in Enter Software Iperius Backup versions prior to 8.7.3. This issue arises from the NTLM2 Handler component, where manipulated backup job configurations can lead to unauthorized information disclosure. The vulnerability is exploitable through a local NTLM relay attack, intercepting authentication requests that are automatically sent using stored credentials when accessing network resources via SMB.

Impact

Exploitation of this vulnerability allows for interception and relay of NTLMv2 authentication requests, potentially leading to unauthorized access as the victim user. In environments with Active Directory, this could involve relaying credentials to a domain controller, bypassing authentication controls and allowing for privileged access.

Reproduction

To reproduce this vulnerability, modify the 'Source Folder' or 'Destination Folder' settings of an Iperius Backup job to a network path that points to a resource controlled by the attacker, such as one hosting the Responder tool. Once the job is executed under the 'Run as Service (LocalSystem / admin)' option, the application will authenticate to the specified UNC path using the stored credentials. This NTLM authentication can be intercepted by Responder, capturing the NetNTLMv2 hashes. These hashes can then be relayed to another service, such as a domain controller, using tools like 'impacket-ntlmrelayx', potentially leading to unauthorized access.

Remediation

Users are advised to upgrade to Iperius Backup version 8.7.4, which addresses this vulnerability. The update is available on the Iperius Backup website.