OS Command Injection with VM restores
Advisory ID: RBK-20200316-S0012
Action Recommended: Customers may upgrade to CDM 5.1.2 or CDM 5.0.4-p1 to mitigate the security vulnerability
Rubrik believes in keeping our customers and partners proactively notified about product issues to mitigate any impact to your business and operations. We’re posting the following security vulnerability advisory to inform you of an issue that may affect your environment.
S21sec, a cybersecurity company, reported an Operating system (OS) command injection vulnerability (CVE-2020-9478) which may allow an authenticated attacker to execute arbitrary linux commands on Rubrik CDM managed VMware virtual machines (VM) during file restore operations. Rubrik Engineering performed a comprehensive investigation and code review, which confirmed the findings by S21sec.
The vulnerability is exploitable only under the following limited conditions.
- Only VMware virtual machines running Linux protected by Rubrik CDM are potentially impacted.
- The restore must be performed using the VMware Tools recovery method. Recovering files with the Rubrik Backup Service (RBS) is not impacted.
- Exploiting the vulnerability requires access to an account on the Rubrik cluster with administrator privileges or an end user account with the Allow Overwrite of Original option applied to the restore target.
A fix is included in Rubrik 5.1.2 and CDM 5.0.4-p1 (these releases also address the Conscrypt certificate expiration issue as described in Technical Advisory: RBK-20200302-D0011), and all customers are encouraged to upgrade affected clusters to mitigate any risks associated with CVE-2020-9478.
Affected software releases
The following Rubrik CDM software releases are affected. Any clusters running one of the affected software releases should be upgraded. Verify your current Rubrik CDM software release by using the About Rubrik option from the Settings menu in the UI, or from the Admin CLI by running the version command.
- All CDM 5.1.1-x software releases are affected
- All CDM 5.1.0-x software releases are affected
- CDM 5.0.4-2617 is affected
- All CDM 5.0.3-x software releases are affected
- All CDM 5.0.2-x software releases are affected
- All CDM 5.0.1-x software releases are affected
- All CDM 5.0.0-x software releases are affected
Mitigation and software upgrade recommendation
For clusters running one of the affected CDM software releases, Rubrik recommends the following upgrade plan to mitigate the security vulnerability. For the latest maintenance release, Rubrik recommends upgrading to CDM 5.0.4-p1. Environments that require the latest features should upgrade to CDM 5.1.2.
- Upgrade not required: Clusters running CDM 5.1.2-p1, CDM 5.1.2, or CDM 5.0.4-p1, are not affected by the vulnerability and do not require a software upgrade.
- Upgrade to latest maintenance release: For environments that require the current stable release, upgrade to CDM 5.0.4-p1 (Download | Release Notes). CDM 5.0.4-p1 also addresses the Conscrypt certificate expiration issue as described in Technical Advisory: RBK-20200302-D0011.
- Upgrade to latest feature release: For environments that require the latest product enhancements and features, upgrade to CDM 5.1.2 (Download | Release Notes). Please review the release notes for feature details. CDM 5.1.2 also addresses the Conscrypt certificate expiration issue as described in Technical Advisory: RBK-20200302-D0011.
Software upgrade guidance and instructions
Upgrading Rubrik CDM is a simple process and can be performed by customers from the CLI. Reference the following resources for guidance with the Rubrik CDM software upgrade process.
- Determine upgrade path: Determine the appropriate upgrade path from a previous software release to CDM 5.0.4-p1 or CDM 5.1.2.
- Review Compatibility Matrix: Identify any software dependencies and interoperability requirements prior to the software upgrade.
- Follow upgrade instructions: Review the upgrade path and compatibility matrix prior to upgrading software. Perform the upgrade from the CLI using the supplied instructions, which includes a video.
For any questions regarding this security vulnerability advisory, please open a case with Rubrik Support using one of the following methods: