mirror of
https://github.com/borgbackup/borg.git
synced 2024-12-27 02:08:54 +00:00
document vulnerability, repo upgrade procedure
This commit is contained in:
parent
56da398711
commit
449cd51b73
1 changed files with 66 additions and 0 deletions
|
@ -5,6 +5,72 @@ Important notes 1.x
|
||||||
|
|
||||||
This section provides information about security and corruption issues.
|
This section provides information about security and corruption issues.
|
||||||
|
|
||||||
|
.. _archives_tam_vuln:
|
||||||
|
|
||||||
|
Pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811)
|
||||||
|
----------------------------------------------------------
|
||||||
|
|
||||||
|
A flaw in the cryptographic authentication scheme in Borg allowed an attacker to
|
||||||
|
fake archives and potentially indirectly cause backup data loss in the repository.
|
||||||
|
|
||||||
|
The attack requires an attacker to be able to
|
||||||
|
|
||||||
|
1. insert files (with no additional headers) into backups
|
||||||
|
2. gain write access to the repository
|
||||||
|
|
||||||
|
This vulnerability does not disclose plaintext to the attacker, nor does it
|
||||||
|
affect the authenticity of existing archives.
|
||||||
|
|
||||||
|
Creating plausible fake archives may be feasible for empty or small archives,
|
||||||
|
but is unlikely for large archives.
|
||||||
|
|
||||||
|
The fix enforces checking the TAM authentication tag of archives at critical
|
||||||
|
places. Borg now considers archives without TAM as garbage or an attack.
|
||||||
|
|
||||||
|
We are not aware of others having discovered, disclosed or exploited this vulnerability.
|
||||||
|
|
||||||
|
Below, if we speak of borg 1.2.5, we mean a borg version >= 1.2.5 **or** a
|
||||||
|
borg version that has the relevant security patches for this vulnerability applied
|
||||||
|
(could be also an older version in that case).
|
||||||
|
|
||||||
|
Steps you must take to upgrade a repository:
|
||||||
|
|
||||||
|
1. Upgrade all clients using this repository to borg 1.2.5.
|
||||||
|
Note: it is not required to upgrade a server, except if the server-side borg
|
||||||
|
is also used as a client (and not just for "borg serve").
|
||||||
|
|
||||||
|
Do **not** run ``borg check`` with borg 1.2.5 before completing the upgrade steps.
|
||||||
|
|
||||||
|
2. Run ``borg info --debug <repository> 2>&1 | grep TAM | grep -i manifest``.
|
||||||
|
a) If you get "TAM-verified manifest", continue with 3.
|
||||||
|
b) If you get "Manifest TAM not found and not required", run
|
||||||
|
``borg upgrade --tam --force <repository>`` *on every client*.
|
||||||
|
|
||||||
|
3. Run ``borg list --format='{name} {time} tam:{tam}{NL}' <repository>``.
|
||||||
|
"tam:verified" means that the archive has a valid TAM authentication.
|
||||||
|
"tam:none" is expected as output for archives created by borg <1.0.9.
|
||||||
|
"tam:none" could also come from archives created by an attacker.
|
||||||
|
You should verify that "tam:none" archives are authentic and not malicious
|
||||||
|
(== have good content, have correct timestamp, can be extracted successfully).
|
||||||
|
In case you find crappy/malicious archives, you must delete them before proceeding.
|
||||||
|
In low-risk, trusted environments, you may decide on your own risk to skip step 3
|
||||||
|
and just trust in everything being OK.
|
||||||
|
|
||||||
|
4. If there are no tam:non archives left at this point, you can skip this step.
|
||||||
|
Run ``borg upgrade --archives-tam <repository>``.
|
||||||
|
This will make sure all archives are TAM authenticated (an archive TAM will be added
|
||||||
|
for all archives still missing one).
|
||||||
|
``borg check`` would consider TAM-less archives as garbage or a potential attack.
|
||||||
|
Optionally run the same command as in step 3 to see that all archives now are "tam:verified".
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability time line:
|
||||||
|
|
||||||
|
* 2023-06-13: Vulnerability discovered during code review by Thomas Waldmann
|
||||||
|
* 2023-06-13...: Work on fixing the issue, upgrade procedure, docs.
|
||||||
|
* 2023-06-30: CVE was assigned via Github CNA
|
||||||
|
* 2023-07-xx: Released fixed version 1.2.5
|
||||||
|
|
||||||
.. _hashindex_set_bug:
|
.. _hashindex_set_bug:
|
||||||
|
|
||||||
Pre-1.1.11 potential index corruption / data loss issue
|
Pre-1.1.11 potential index corruption / data loss issue
|
||||||
|
|
Loading…
Reference in a new issue