CloudBerry Backup v6.1.2.34 Local Privilege Escalation

Disclosure date:  08/26/19

CVE-2019-15720

CloudBerry Backup v6.1.2.34 and possibly older versions are vulnerable to local privilege escalation via the Pre and Post backup action.  With only user level access, the user can modify the backup plan and add a Pre backup action script which executes on behalf of NT AUTHORITY\SYSTEM.

Cloudberry Lab was notified of this vulnerability on 8/23/19 and acknowledged the issue in the subsequent days.

POC:








As a temporary workaround, the vendor suggests:

"Please create a new user, add it to Backup Operators local group, or a domain group if the machine is domain controller, and then change the service account in the software to that user by going to Tools > Change Service account."

"Make sure to edit file-level backup plans and enable 'use Backup Operator' option under Advanced Settings. The backup operator can backup files on the machine, but cannot be used to elevate privileges."