Situation
There is a critical RCE vulnerability in Comet Backup affecting all versions prior to 26.4.3, 26.5.0. The vulnerability allowed a tenant administrator with branding permissions to execute remote code on behalf of cometd by uploading .dll/.so executables for codesigning in branding configuration and generating a backup-tool client.
Impact
Code execution on behalf of cometd on the Comet Backup server outside of tenancy boundaries:
full access to user’s data in config.cfg and other configuration files
full access to backed up data from remote devices where backup-tool is installed
ability to stop, replace, remove Comet Server installation
code execution on behalf of a privileged user on connected devices with installed backup tool
Call to action
Comet Hosted servers have already been upgraded. No action is required for Comet Hosted administrators.
For self-hosted instances update Comet Backup to 26.4.3, 26.5.0 or higher by the link:
https://account.cometbackup.com/downloads
Acknowledgements
We would like to thank Georgii Shutiaev for responsibly disclosing this vulnerability and working with us to help protect our customers.
Comments
Please sign in to leave a comment.