On March 30, 2019, a code change was made to HashBackup. Below is the commit log for this change. The first release containing this change was #2224 on April 19, 2019.
changeset: 2201:8133818a2c13 user: Jim <email> date: Sat Mar 30 12:48:40 2019 -0400 summary: hb: move misc.checkcommand() to hb and out of each command
There is a main command dispatch function in HashBackup called hb. It
performs the auditing function and then dispatches to individual
command handlers. misc.checkcommand() is a function that tests
whether a command is enabled and raises an error if it is disabled by
the config options
Before this commit, misc.checkcommand() was performed inside each individual HB command handler independently. With this commit, the check was moved from the individual command handlers to the main hb command dispatcher.
However, this check was added after the audit log was successfully written to the database. If an error occurred while writing the audit log, an exception was raised and misc.checkcommand() was bypassed, with the effect that disabled commands could be executed.
One way to trigger this bug, shown below, is to reduce access to the backup database to read-only. This causes audit logging to fail, bypassing the disabled command check. There may be other ways to cause audit logging to fail (for example, a full disk), with the same result. In the example below, only the stats command should be enabled, but the ls command is allowed to run.
By default, the HashBackup directory is created with 700 permissions and only the owner has access. This helps mitigate this security issue, though an admin may have created the backup directory under a user’s id, added an admin passphrase to protect the config, and disabled some commands. Since the user does not know the admin passphrase, they cannot re-enable commands. But because of the vulnerability, the user could temporarily change their access to read-only, use disabled commands, then change permissions back.
This bug was found on Feb 21, 2022 via internal testing and not reported by anyone using HashBackup. A fix was released the same day in release #2772 with an entry in the release notes that a full disclosure would be given in 90 days to give sites time to upgrade. This note is the full disclosure.
Release #2876 on April 1, 2022 performs a database upgrade. After a db upgrade, earlier releases cannot access the HashBackup database, so this db upgrade is important to prevent older versions of HashBackup with the vulnerability from accessing disabled commands against the backup database.
Example showing execution of a disabled command:
# --- create a backup $ hb init -c hb HashBackup #2490 Copyright 2009-2022 HashBackup, LLC Backup directory: /hb2490/hb Permissions set for owner access only Created key file /hb2490/hb/key.conf Key file set to read-only Setting include/exclude defaults: /hb2490/hb/inex.conf VERY IMPORTANT: your backup is encrypted and can only be accessed with the encryption key, stored in the file: /hb2490/hb/key.conf You MUST make copies of this file and store them in secure locations, separate from your computer and backup data. If your hard drive fails, you will need this key to restore your files. If you have setup remote destinations in dest.conf, that file should be copied too. Backup directory initialized # --- save 1 file for the test $ hb backup -c hb backup.py HashBackup #2490 Copyright 2009-2022 HashBackup, LLC Backup directory: /hb2490/hb Backup start: 2022-02-21 23:00:20 Copied HB program to /hb2490/hb/hb#2490 This is backup version: 0 Dedup not enabled; use -Dmemsize to enable / /hb2490 /hb2490/backup.py /hb2490/hb /hb2490/hb/inex.conf Time: 0.1s CPU: 0.0s, 64% Mem: 55 MB Checked: 7 paths, 134390 bytes, 134 KB Saved: 7 paths, 134390 bytes, 134 KB Excluded: 0 Dupbytes: 0 Compression: 68%, 3.2:1 Efficiency: 0.00 MB reduced/cpusec Space: +42 KB, 189 KB total No errors # --- disable all commands except stats $ hb config -c hb enable-commands stats HashBackup #2490 Copyright 2009-2022 HashBackup, LLC Backup directory: /hb2490/hb Cache size: 29 MB (3600 pages) Current config version: 1 Warning: admin-passphrase is not set Note: these commands cannot be disabled: init,upgrade,log Set enable-commands to stats (was '') for future backups # --- try ls command $ hb ls -c hb HashBackup #2490 Copyright 2009-2022 HashBackup, LLC Backup directory: /hb2490/hb Command is disabled # --- set backup directory to read-only (grant others read-only) $ chmod -R 555 hb # --- ls should be disabled but is not because of the audit failure $ hb ls -c hb HashBackup #2490 Copyright 2009-2022 HashBackup, LLC Warning: unable to audit command: Traceback (most recent call last): File "hb.py", line 97, in <module> OperationalError: attempt to write a readonly database Backup directory: /hb2490/hb Most recent backup version: 0 Showing most recent version, use -ad for all / (parent, partial) /hb2490 (parent, partial) /hb2490/backup.py /hb2490/hb (parent, partial) /hb2490/hb/inex.conf