A vulnerability, which was classified as critical, was found in Arq up to 5.9 on Mac. This affects an unknown function of the component arq_updater/arqcommitter/standardrestorer/arqglacierrestorer/arqs3glacierrestorer. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) arqglacierrestorer, and (5) arqs3glacierrestorer helper apps in Arq 5.x before 5.10 for Mac allow local users to gain root privileges via a crafted data packet.

The bug was discovered 11/29/2017. The weakness was published 12/01/2017 (Website). The advisory is shared at arqbackup.com. This vulnerability is uniquely identified as CVE-2017-16895 since 11/20/2017. An attack has to be approached locally. The successful exploitation requires a authentication. Technical details are unknown but a public exploit is available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 5.10 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (43216). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• Arq

Version

• 5.0
• 5.1
• 5.2
• 5.3
• 5.4
• 5.5
• 5.6
• 5.7
• 5.8
• 5.9

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion