Skip to main content
All CollectionsKnowledge BaseSecurity Update
Security Advisory for inSync Client 7.0.1 and before
Security Advisory for inSync Client 7.0.1 and before
Updated over 8 months ago

Advisory ID:Druva/DVSA-2022-001

Issue Date:07-07-2022

Last Updated:08-06-2021 (Initial Advisory)

Advisory Status: Final

Version:1.0

Overall Severity Classification:High

Summary

The inSync Client versions were susceptible to vulnerabilities that could allow malicious users with user-level privileges to inject code and escalate privileges to root by chaining these flaws. These vulnerabilities cannot be exploited remotely and are exploitable only if the malicious user has user-level access to the device. Druva has released an inSync Client update that overcomes these vulnerabilities. Customers are strongly advised to upgrade to the latest version to remediate these vulnerabilities. See the customer action required section for more details.


📝 Note
These vulnerabilities were identified, fixed, and communicated to customers (via email) in Aug 2021. The CVE IDs have been assigned on 16 May 2022.


Impact

Successful exploitation of these vulnerabilities could lead to Privilege escalation, command injection, arbitrary NodeJS code injection and unauthorized modification of data.

Affected products(s), version(s) and resolution

Product

CVE ID

Platform

Affected Versions

Fixed/updated version

inSync Client

CVE-2021-36665

Windows

All versions before v7.0.0

v7.0.0 and above

macOS

All versions before v7.0.0

v7.0.0 and above

CVE-2021-36666

CVE-2021-36667

macOS

All versions before v7.0.0

v7.0.0 and above

CVE-2021-36668

Windows

v7.0.0 and earlier versions

v7.0.1-r110201 and above

macOS

v7.0.0 and earlier versions

v7.0.1-r110206 and above

Linux
(Ubuntu only)

Linux: v5.9.2

v5.9.3 and above.

Customer action required

Upgrade the inSync Client to the latest installation version, which addresses all the CVE’s mentioned above:

Windows: v7.0.1-r110201 and above

Mac:v7.0.1-r110206 and above

Linux (Ubuntu):v5.9.3 and above.

Download the latest inSync Client here.
For upgrade instructions, see Upgrade the inSync Client.
Customers are advised to contact Support for technical assistance.

Vulnerabilities

CVE-2021-36665 - Insecure deserialization leading to arbitrary code execution

Insecure deserialization vulnerability in the inSyncUpgrade could allow an attacker with user-level privileges to execute arbitrary code and escalate privileges to root by supplying an upgrade package with a malicious signature.

CVE-2021-36666 - Code Injection via arbitrary dynamic library loading

Code injection vulnerability in Mac Client could allow an attacker with user-level privileges on the system to load random libraries and escalate privileges to root via DYLD_INSERT_LIBRARIES environment variable.

CVE-2021-36667 - OS Command Injection Vulnerability in local HTTP server

OS command injection vulnerability in Mac Client's local HTTP server could allow an attacker with user-level privileges on the device to execute arbitrary OS commands as a non-root user.

CVE-2021-36668 - URL Injection in inSync Client

URL Injection vulnerability in inSync Electron UI could allow a local, authenticated attacker to execute arbitrary NodeJS code by manipulating a port number parameter.

Vulnerability details, CVSS Scoring and Metrics:

Vulnerability

CVE ID

CVSSv3
Base Score

CVSSv3.1 Vector

Severity

Platform

Insecure deserialization leading to arbitrary code execution

CVE-2021-36665

7.5

High

Windows, macOS

Code Injection via arbitrary dynamic library loading

CVE-2021-36666

7.5

High

macOS

OS Command Injection Vulnerability in local HTTP server

CVE-2021-36667

4.4

Medium

macOS

URL Injection vulnerability in inSync App

CVE-2021-36668

5.3

Medium

Windows, macOS, Linux (Ubuntu)

Acknowledgments

Druva would like to thank Mr. Oliver Grubin ( info@olvrgrbn.com ) for taking the effort to report these vulnerabilities by participating in coordinated and responsible disclosure.

References

Did this answer your question?