Idera Server Backup Manager – Restore Arbitrary File Overwrite Vulnerability

Product Description:

Idera Server Backup Manager is an affordable, high-performance, disk-to-disk backup software for Linux and Windows servers. (This software was previously more commonly known as R1Soft Backup.)

Vulnerability Discussion:

It is possible for a malicious user to overwrite and take control of any file on the server, including root owned files, using a hard or symlink attack during the restore process if executed by an admin user via the GUI.

Vendor Contact Timeline:

2014-03-07: Vendor contacted via email.
2014-03-17: Vendor confirms vulnerability.
2014-04-21: Vendor issues update.
2014-04-21: RACK911 Labs issues security advisory.

About Us:

RACK911 Labs
1110 Palms Airport Drive, Suite 110
Las Vegas, NV 89119