Oracle Secure Backup exposed to CVSS 9.8, pre-auth RCE

An Apache HTTP Server vulnerability continues to affect downstream products...

Oracle Secure Backup is exposed to what Oracle describes as an “easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTP to compromise [and] takeover” the product.

The pre-auth RCE vulnerability was allocated a critical CVSS score of 9.8.

Oracle Secure Backup is a product that lets users take data from a networked host running Oracle Secure Backup or a NAS device that supports NDMP, and back up that data on a tape device on the network.

It can be set up with a browser-based GUI that enables you to configure an administrative domain, manage the backup and restore of file system data, and browse the backup catalogue remotely.

Join peers following The Stack on LinkedIn

The issue, which affected versions prior to 18.1.0.2.0, was fixed in Oracle’s October 2022 quarterly patch cycle but customers do not always promptly patch software that they do not believe to be network-exposed.

As Oracle noted in its patch update: “We periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”

It was not immediately clear how many users were/are potentially at risk.

This will depend on configuration.

What is clear is that attackers aggressively go after backups that they can access in a bid to hamper recovery time and boost their leverage when it comes to extorting a ransom after a data breach.

See also: Kronos makes cold storage vow, after attackers hit backup access

The Oracle Secure Backup vulnerability has its roots in CVE-2022-31813.

That’s a bug in Apache HTTP Server 2.4.53 and earlier. The vulnerability exists because Apache HTTPD mod_proxy between versions 2.2.1 and 2.4.53, does not fill the X-Forwarded headers when those are listed as hop-by-hop. Applications hosted behind it can misunderstand the real client's IP address or requested hostname.

(Sound familiar: The widely exploited BIG IP vulnerability CVE-2022-1388 had some similarities.)

The bug, first reported in June 2022 and written about in detail by security researchers at Synacktiv who reported it, affected numerous downstream software products that rely on Apache HTTP Server.

As Synacktiv noted at the time: “Its consequences will depend on the application and infrastructure setup.. multiple use cases can be found, depending on the context…all exploitation scenarios depend on the willingness of frameworks to use and trust the X-Forwarded headers”. As ever, patch promptly if possible.