CVE-2007-2361 in Backup
Summary
by MITRE
Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore points images are configured, uses weak permissions (world readable) for a configuration file with network share credentials, which allows local users to obtain the credentials by reading the file.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/30/2018
This vulnerability resides in Symantec's suite of backup and recovery software including Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery versions prior to 20070426. The flaw represents a critical security oversight in how these enterprise-grade tools handle credential storage for remote backup operations. When administrators configure remote backups of restore point images, the software creates a configuration file that contains network share credentials necessary for authentication. The vulnerability stems from the software's failure to properly secure this file, leaving it with world-readable permissions that allow any local user on the system to access sensitive authentication data.
The technical implementation of this flaw demonstrates poor privilege management and access control mechanisms within the backup software ecosystem. The configuration file containing network share credentials is stored with insufficient permission settings, typically defaulting to 755 or similar permissive modes that grant read access to all users. This design flaw directly violates fundamental security principles of least privilege and proper file system permissions. The vulnerability operates at the file system level and represents a classic case of insecure credential storage, which aligns with CWE-706 and CWE-256 categories. Attackers can exploit this weakness by simply reading the configuration file without requiring elevated privileges or complex exploitation techniques.
The operational impact of this vulnerability extends beyond simple credential theft, as it enables unauthorized access to backup repositories and potentially compromise entire backup infrastructures. Local users who gain access to these credentials can perform unauthorized backup operations, restore malicious files to production systems, or even delete critical backup data. This weakness creates a persistent security risk that can remain undetected for extended periods, as the compromised credentials may not immediately trigger alerts or monitoring systems. The vulnerability affects organizations using these legacy backup solutions and represents a significant risk to data integrity and system availability, particularly in environments where multiple users share the same backup server or client systems.
Mitigation strategies for this vulnerability require immediate implementation of proper file permission controls and system hardening measures. Organizations should immediately restrict file permissions on configuration files containing credentials to ensure only authorized processes and users can access them. The recommended approach involves setting restrictive permissions such as 600 or 640 on the configuration files, ensuring that only the owner and specific system processes can read the data. System administrators should also implement regular security audits to identify and remediate similar permission issues across all backup and recovery systems. Additionally, organizations should consider implementing centralized credential management solutions and regular credential rotation policies to minimize the impact of such vulnerabilities. This remediation approach aligns with ATT&CK technique T1555.003 for credential access and emphasizes the importance of proper file system security controls as outlined in NIST SP 800-53 security requirements. The vulnerability serves as a reminder of the critical importance of secure credential storage practices in backup and recovery systems, where the compromise of authentication data can lead to widespread system compromise and data loss.