Vembu BDR

Report DIVD-2020-00011 - Vembu BDR

Written on 01 Aug 2021 by Gerard Janssen

Case lead: Wietse Boonstra
Researchers: Wietse Boonstra , Frank Breedijk , Victor Gevers , Lennaert Oudshoorn
Case file: DIVD-2020-00011

DIVD researcher Wietse Boonstra found four zero-day vulnerabilities in Vembu BDR Suite, software that helps companies to make backups and ‘disaster recovery’. An attacker can take over a vulnerable Vembu BDR system and gain access to the stored data via one or more of these vulnerabilities. None of the vulnerabilities have been published yet.

During a pentest in October 2020, Boonstra found that via commands in the web browser it was possible to break into the Vembu system of one of Boonstra’s customers. A vulnerability in this type of software is serious. This kind of backup and recovery software by definition has a deep impact on the system. Vembu’s customers are both small companies and large organizations. According to its own Vembu site, NASA, Samsung, Fujitsu, and Epic Games are using the Vembu BDR Suite.

Boonstra found four vulnerabilities. Three of these (CVE-2021-26471,2,3) are remote code execution (RCE) vulnerabilities, which are often considered to be the most serious vulnerabilities. The fourth vulnerability is a Server-side request forgery (SSRF, CVE-2021-26474), which makes it possible to bypass access control to a system.

Boonstra reported the leaks at Vembu, but initially received no response. The DIVD did manage to get in touch with Vembu through other channels in mid-February. Vembu replied that the vulnerabilities were already known and fixed in the latest versions of the software. However, customers only got an update when they actively asked for it. After some urging from the DIVD, the patched version came online in April.

Further research has shown that these vulnerabilities are also present in other products created by Vembu. The Server Side Request Forgery is present in a lot of their products.

Date Event
Januari 2020 Boonstra tries to contact Vembu, but is blocked.
October 26, 2020 DIVD researcher Wietse Boonstra discovers four vulnerabilities in Vembu BDR software
November 2, 2020 First attempt to contact Vembu BDR.
November 11, 2020 Ticket is closed by Vembu.
February 1, 2021 CVE indicators reserved.
February 11, 2021 New attempt to contact Vembu.
March 22, 2021 Vembu acknowledges receipt of our report and indicates that these issues have already been resolved in their bi-weekly builds.
March 31, 2021 Vembu updates their images on Docker Hub to images with these vulnerabilities fixed.
April 2, 2021 Vembu puts updated software on their download page
April 30, 2021 ZMap scan for servers listening on port 6060
May 2, 2021 First scan for vulnerable systems
May 15, 2021 Limited publication of these vulnerabilities.
June 1, 2021 Planned date for full disclosure.
August 25, 2021 Full disclosure of CVE-2021-26471, CVE-2021-26472 and CVE-2021-26473