Druva inSync Vulnerabilities: CVE-2019-3999/4000/4001 (OS Command Injection/Code Injection)

Vulnerability Key Information Summary Druva inSync Client contains multiple vulnerabilities, including unauthenticated OS command injection, Python code injection, and improper command-line argument configuration. Vulnerability Details 1. CVE-2019-3999: Unauthenticated OS Command Injection Description: The Windows Druva inSync Client service contains a command injection vulnerability that can be exploited by sending a specially crafted RPC request over TCP port 6064. Proof of Concept: Includes hexdump of the exploit and log example demonstrating successful exploitation. Risk Factor: High 2. CVE-2019-4000: Authenticated Python Code Injection Description: The inSyncDecommission process allows Python code injection via unvalidated input in the daemon.set_file_acl method within the RPC service. Proof of Concept: Provides Python source code of the vulnerable function and an example exploit. 3. CVE-2019-4001: Electron Application Command-Line Argument Misconfiguration Description: The inSync Electron application is misconfigured, allowing malicious users to execute arbitrary NodeJS code. Proof of Concept: Includes code snippet showing unvalidated command-line argument values and an example exploit. Remediation Druva inSync 6.6.0: Fixes CVE-2019-3999 and CVE-2019-4000. Druva inSync 6.6.2: Fixes CVE-2019-4001. Timeline Disclosure: December 26, 2019 — Tenable contacted Druva's security team. Report Confirmation: February 12, 2020 — Tenable published advisory. Update: March 24, 2020 — Druva inSync 6.6.2 released.

Goal Reached Thanks to every supporter — we hit 100%!

Druva inSync Vulnerabilities: CVE-2019-3999/4000/4001 (OS Command Injection/Code Injection)