CVE-2007-2360 in Backup
Summary
by MITRE
Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore point images are configured, encrypt network share credentials with a key formed by a hash of the username, which allows local users to obtain the credentials by calculating the key.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/30/2018
This vulnerability exists in Symantec's backup and recovery software suite including Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery versions prior to 20070426. The flaw stems from a weak cryptographic implementation where network share credentials are encrypted using a key derived from a hash of the username. This design choice fundamentally undermines the security of remote backup configurations that rely on network share authentication. The vulnerability represents a classic implementation weakness in cryptographic key derivation where predictable and easily computable keys are used instead of properly randomized cryptographic keys.
The technical flaw manifests when administrators configure remote backups of restore point images to network shares requiring authentication. The software generates encryption keys for storing credentials by applying a hash function to the username alone, without sufficient entropy or randomization. This approach creates a deterministic key generation process where any local user with access to the system can reverse engineer the encryption key by computing the same hash of the username. The vulnerability directly maps to CWE-326, which describes inadequate encryption strength, and CWE-327, which covers broken or weak cryptographic algorithms. Attackers can exploit this weakness by simply calculating the hash of the username used for network share authentication, then using this computed key to decrypt stored credentials.
The operational impact of this vulnerability is significant for organizations relying on Symantec's backup solutions for remote data protection. Local users who gain access to the system can trivially extract network share credentials, potentially gaining unauthorized access to backup storage locations. This creates a privilege escalation scenario where low-privilege users can obtain administrative credentials for network shares, enabling them to access, modify, or exfiltrate backup data. The vulnerability undermines the integrity of backup security configurations and can lead to unauthorized data access across the entire backup infrastructure. The attack vector is particularly concerning because it requires only local system access and basic knowledge of the username, making it exploitable by users with minimal privileges. This weakness can be categorized under ATT&CK technique T1552.001 for unsecured credentials and T1078.004 for valid accounts.
Mitigation strategies should focus on immediate software updates to versions released after April 26, 2007, which contain proper cryptographic implementations. Organizations should also implement additional access controls and privilege separation to minimize the impact of local user access. Network segmentation and monitoring of backup processes can help detect unauthorized credential access attempts. The vulnerability highlights the importance of proper key derivation practices and adherence to cryptographic best practices. System administrators should consider implementing additional authentication layers and regularly auditing backup configuration settings to ensure secure credential storage. Organizations should also review their backup security policies and implement principle of least privilege for backup system access to reduce the attack surface.