Advisory Details

December 1st, 2011

Iron Mountain Connected Backup Agent Unauthenticated Remote Command Execution Vulnerability

ZDI-11-339
ZDI-CAN-1023

CVE ID CVE-2011-2397
CVSS SCORE 10.0, AV:N/AC:L/Au:N/C:C/I:C/A:C
AFFECTED VENDORS Iron Mountain
AFFECTED PRODUCTS Connected Backup 8.4
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['11234']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Iron Mountain Connected Backup. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Agent service that listens by default on TCP port 16388. When dealing with a request containing the opcode 13, the java process instantiates an instance of a class called LaunchCompoundFileAnalyzer. This class passes user-controlled data directly to System.getRunTime.exec. This can be abused to execute remote code on the agent process under the context of the user running the software.
ADDITIONAL DETAILS


Versions affected 8.2.2 - 8.5.1
Fixed versions: 8.2.2.3, 8.4.0.13, 8.4.1.1, 8.5.1.1 and later (including all 8.6.x)

Customers were notified and updates released 5/9/2011.

Updated versions are available through normal support channels (http://customers.autonomy.com, http://digitalresourcecenter.ironmountain.com).
DISCLOSURE TIMELINE
  • 2011-04-25 - Vulnerability reported to vendor
  • 2011-12-01 - Coordinated public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES