Advisory ID:Druva/DVSA-2022-001
Issue Date:07-07-2022
Last Updated:08-06-2021 (Initial Advisory)
Advisory Status: Final
Version:1.0
Overall Severity Classification:High
Summary
The inSync Client versions were susceptible to vulnerabilities that could allow malicious users with user-level privileges to inject code and escalate privileges to root by chaining these flaws. These vulnerabilities cannot be exploited remotely and are exploitable only if the malicious user has user-level access to the device. Druva has released an inSync Client update that overcomes these vulnerabilities. Customers are strongly advised to upgrade to the latest version to remediate these vulnerabilities. See the customer action required section for more details.
📝 Note
These vulnerabilities were identified, fixed, and communicated to customers (via email) in Aug 2021. The CVE IDs have been assigned on 16 May 2022.
Impact
Successful exploitation of these vulnerabilities could lead to Privilege escalation, command injection, arbitrary NodeJS code injection and unauthorized modification of data.
Affected products(s), version(s) and resolution
Product | CVE ID | Platform | Affected Versions | Fixed/updated version |
inSync Client | CVE-2021-36665 | Windows | All versions before v7.0.0 | v7.0.0 and above |
macOS | All versions before v7.0.0 | v7.0.0 and above | ||
CVE-2021-36666
CVE-2021-36667 | macOS | All versions before v7.0.0 | v7.0.0 and above | |
CVE-2021-36668 | Windows | v7.0.0 and earlier versions | v7.0.1-r110201 and above | |
macOS | v7.0.0 and earlier versions | v7.0.1-r110206 and above | ||
Linux | Linux: v5.9.2 | v5.9.3 and above. |
Customer action required
Upgrade the inSync Client to the latest installation version, which addresses all the CVE’s mentioned above:
Windows: v7.0.1-r110201 and above
Mac:v7.0.1-r110206 and above
Linux (Ubuntu):v5.9.3 and above.
Download the latest inSync Client here.
For upgrade instructions, see Upgrade the inSync Client.
Customers are advised to contact Support for technical assistance.
Vulnerabilities
CVE-2021-36665 - Insecure deserialization leading to arbitrary code execution
Insecure deserialization vulnerability in the inSyncUpgrade could allow an attacker with user-level privileges to execute arbitrary code and escalate privileges to root by supplying an upgrade package with a malicious signature.
CVE-2021-36666 - Code Injection via arbitrary dynamic library loading
Code injection vulnerability in Mac Client could allow an attacker with user-level privileges on the system to load random libraries and escalate privileges to root via DYLD_INSERT_LIBRARIES environment variable.
CVE-2021-36667 - OS Command Injection Vulnerability in local HTTP server
OS command injection vulnerability in Mac Client's local HTTP server could allow an attacker with user-level privileges on the device to execute arbitrary OS commands as a non-root user.
CVE-2021-36668 - URL Injection in inSync Client
URL Injection vulnerability in inSync Electron UI could allow a local, authenticated attacker to execute arbitrary NodeJS code by manipulating a port number parameter.
Vulnerability details, CVSS Scoring and Metrics:
Vulnerability | CVE ID | CVSSv3 | CVSSv3.1 Vector | Severity | Platform |
Insecure deserialization leading to arbitrary code execution | CVE-2021-36665 | 7.5 | High | Windows, macOS | |
Code Injection via arbitrary dynamic library loading | CVE-2021-36666 | 7.5 | High | macOS | |
OS Command Injection Vulnerability in local HTTP server | CVE-2021-36667 | 4.4 | Medium | macOS | |
URL Injection vulnerability in inSync App | CVE-2021-36668 | 5.3 | Medium | Windows, macOS, Linux (Ubuntu) |
Acknowledgments
Druva would like to thank Mr. Oliver Grubin ( info@olvrgrbn.com ) for taking the effort to report these vulnerabilities by participating in coordinated and responsible disclosure.
References
Druva utilizes the Common Vulnerability Scoring System (CVSS) base score and metrics by the National Institute of Standards and Technology in the National Vulnerability Database. For more information on CVSS and score calculation system, see Common Vulnerability Scoring System: Specification Document.