If you're running virtual environments using IBM's Storage Protect for VMware or using the Storage Protect Backup-Archive Client, it's time to be concerned. A new vulnerability, CVE-2024-38320, exposes sensitive backup data to risk due to use of weak encryption that can be broken by attackers. Let's break down what this means, why it matters, and what you can do.

IBM Storage Protect Backup-Archive Client (versions 8.1.. through 8.1.23.)

These tools are popular for backing up and restoring virtual machines and data. But the problem is, they use old, weak encryption methods to protect your data. If a hacker gets access to your backup files or traffic, they could break this weak encryption and read your data.

Official IBM advisory:
https://www.ibm.com/support/pages/node/7151451

Technical Details: What Went Wrong

The main problem is the use of cryptographic algorithms that do not meet modern security standards. Technologies like DES, RC4, or even weak AES settings can be "cracked" with modern hardware and techniques. This vulnerability was tagged with CVSS score 7.5 (High).

Impact in Simple Terms

- If a hacker gets your backup data or intercepts communication, they might decrypt it without needing your passwords.
- This could include virtual disks, databases, or sensitive files, all stored in what you thought was a “secure” archive.

The backup is encrypted using a weak algorithm (let's say single DES).

3. Using open-source tools like John the Ripper or Hashcat, they can run brute force attacks or known-plaintext attacks to retrieve the decryption key.

Code Snippet: Decrypting Weak Encrypted Archive

Below is an example using Python and the pyDes library to show how DES-encrypted files can be cracked (for demo only). If your data's protected just like this, it's not really protected.

from pyDes import des, ECB, PAD_PKCS5
import base64

# This key could be brute-forced in hours
key = b"8bytekey"

cipher = des(key, ECB, padmode=PAD_PKCS5)

# Encrypted data (from intercepted backup)
encrypted_data = base64.b64decode("wPntA2VTJAAkqe3vA6vdIA==")

# Decrypt
decrypted = cipher.decrypt(encrypted_data)
print("Decrypted info: ", decrypted.decode())

In real-world, attackers will use automated brute-force on weak keys and short passwords, making this process even faster.

Are you using IBM Storage Protect Backup-Archive Client between 8.1.. and 8.1.23.?

- Was your encryption method set to something other than AES-256 or modern standards? (Check the docs or your config)

From IBM's bulletin

> "Backup-Archive Client managed passwords and their backups created by affected versions, using weak algorithms, are susceptible to decryption by attackers."

IBM has released fixed versions. Update to the latest 8.1.24. or above.

- Download: https://www.ibm.com/support/pages/node/7151451

Re-encrypt Past Backups

Unfortunately, backups created with the old versions may need to be restored and re-backed-up using the fixed version for full protection.

Audit Your Backup Encryption

Double-check encryption settings in your configuration files. Use only strong algorithms (AES-256 or better).

IBM Security Bulletin:

https://www.ibm.com/support/pages/node/7151451

NIST Guidance on Cryptography:

https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final

Final Words

CVE-2024-38320 is serious. If you’re like most administrators, you assume your data is encrypted and safe. But if you’re using IBM Storage Protect Backup-Archive Client or Data Protection for VMware 8.1.. - 8.1.23., that may not be true.

Act now: update your software, check your backup policies, and don’t ignore the risk. Attackers target backups because that's where the keys to your kingdom live.

Stay safe and keep your data genuinely secure!

*This analysis is exclusively written for this post. For a deep-dive or project-specific checks, consult your information security team or a reliable IBM partner.*

Timeline

Published on: 01/27/2025 16:15:30 UTC