Multiple vulnerabilities in WBSAirback by White Bear Solutions

Posted date 15/04/2024
5 - Critical
Affected Resources
  • WBSAirback, 21.02.04 version.

INCIBE has coordinated the publication of 16 vulnerabilities, 1 of critical severity, 2 of high severity and 13 of medium severity, affecting WBSAirback 21.02.04, which have been discovered by Alejandro Amorín Niño, Guillermo Tuvilla Gómez, Sergio Román Hurtado y Sergio González González (CVE-2024-3781).

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-3781: CVSS v3.1: 9.1 | CVSS AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-78.
  • CVE-2024-3782: CVSS v3.1: 8.8 | CVSS AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. | CWE-352.
  • CVE-2024-3783: CVSS v3.1: 7.7 | CVSS AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | CWE-22.
  • CVE-2024-3784 to CVE-2024-3788: CVSS v3.1: 6.6 | CVSS AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L. | CWE-97.
  • CVE-2024-3789: CVSS v3.1: 6.5 | CVSS AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. | CWE-400.
  • CVE-2024-3790 to CVE-2024-3796: CVSS v3.1: 4.8 | CVSS AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. | CWE-79.

All vulnerabilities have been fixed by the White Bear Solutions team in version 21.05.00.

  • CVE-2024-3781: command injection vulnerability in the operating system. Improper neutralisation of special elements in Active Directory integration allows the intended command to be modified when sent to a downstream component in WBSAirback 21.02.04.
  • CVE-2024-3782: Cross-Site Request Forgery vulnerability in WBSAirback 21.02.04, which could allow an attacker to create a manipulated HTML form to perform privileged actions once it is executed by a privileged user.
  • CVE-2024-3783: the Backup Agents section in WBSAirback 21.02.04 is affected by a Path Traversal vulnerability, allowing a user with low privileges to download files from the system.
  • Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI). Exploitation of this vulnerability could allow a remote user to execute arbitrary code. The list of assigned CVEs is as follows:
    • CVE-2024-3784: S3 Accounts (/admin/CloudAccounts).
    • CVE-2024-3785: Device NAS shared section (/admin/DeviceNAS).
    • CVE-2024-3786: Device Synchronizations (/admin/DeviceReplication).
    • CVE-2024-3787: S3 disks (/admin/DeviceS3).
    • CVE-2024-3788: License (/admin/CDPUsers).
  • CVE-2024-3789: Uncontrolled resource consumption vulnerability in White Bear Solutions WBSAirback, version 21.02.04. This vulnerability could allow an attacker to send multiple command injection payloads to influence the amount of resources consumed.
  • Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS). Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. The list of assigned CVEs is as follows:
    • CVE-2024-3790: /admin/SystemUsers, login / description fields, passwd1/ passwd2 parameters.
    • CVE-2024-3791: /admin/SystemConfiguration, name / free memory limit fields , type / password parameters .
    • CVE-2024-3792: /admin/DeviceReplication, execution range field, all parameters.
    • CVE-2024-3793: /admin/CloudAccounts, account name / user password / server fields, all parameters.
    • CVE-2024-3794: /admin/AdvancedSystem, description field, all parameters.
    • CVE-2024-3795: /admin/BackupTemplate, name / description fields.
    • CVE-2024-3796: /admin/BackupSchedule, description field.