Headline
CVE-2022-37703: Open Source Backup for Linux, Windows, UNIX and OS X
In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use opendir()
as root directly without checking the path, letting the attacker provide an arbitrary path.
What is Amanda?
AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup solution that allows the IT administrator to set up a single master backup server to back up multiple hosts over network to tape drives/changers or disks or optical media. Amanda uses native utilities and formats (e.g. dump and/or GNU tar) and can back up a large number of servers and workstations running multiple versions of Linux or Unix. Amanda uses a native Windows client to back up Microsoft Windows desktops and servers.
The latest stable version of Amanda, 3.5.2 was released on 20th July 2022. As part of this release, we have addressed unintentional deletions of tape data in the backup environment. Your existing data on tapes will be safe and will not get replaced by your new backup set.
The most recent stable release is version 3.5.1, released on December 1, 2017.
The latest release is the 3.4.x series is 3.4,5, released on June 8, 2017. This is a bugfix release for 3.4.4.
The latest release is the 3.3.x series is 3.3.9, released on February 10, 2016. It is a security fix. The amanda user was allowed to run any code as root, upgrade is not required if you trust the amanda user.
The latest release in the 3.2.x series is 3.2.3, released on May 9, 2011. It is a bug fix release for version 3.2.2.
The latest release in the 3.1.x series is 3.1.3, released on October 5, 2010. It is a security release for version 3.1.2.
Amanda-3.1.2 has a known security vulnerability, and all users should upgrade to Amanda-3.1.3 as soon as possible. See the security alert.
Download here! (README) | Learn more about Amanda’s 3.5.2 release in our blog
Release Notes for 3.5.2:
The 3.5.2 version of Amanda will prevent unintentional deletions of data on tapes. With this release, you can stay assured that your data on tapes is safe, irrespective of the value set on the retention period.
Enhancement
Prevent auto-label from erasing tapes - Auto-label is disabled from claiming non-Amanda and other configuration labels by default. This change will prevent rewriting your existing tape media with new backup set.
Release Notes for 3.5.1:
compilation on Solaris
Do not check all ‘r’ bit on suid binary
Fix parsing of configuration override (-o)
can unset some setting
client code will not fail if shared memory is not available
amreport
lot of improvement
allow ‘*’ for a datestamp wildcard
amgetconf
print an empty string if a parameter is not set instead of ‘no such parameter’
amdump
new --no-dump, --no-flush and --no-vault argument
amstatus fix
lock holding disk to protect multiple parallel access
Release Notes for 3.5:
Use different thread to connect to different client
amservice, amcheck, planner, dumper are no longer suid root
ambind
new suid program to bind to a privileged port
amanda-security.conf
new tcp_port_range, range of privileged tcp port
new udp_port_range, range of privileged udp port
S3 device
openstack keystone v3 support
device-property STORAGE-API must be set to SWIFT-3
new PROJECT-NAME device-property
new DOMAIN-NAME device-property
amfetchdump
rename --directory argument to --target
ampgsql
new --incremental property
new --remove-full-wal property
new --remove-incremental-wal property
- fix planner looping
- fix overflow in S3 device
- fix compilation on OpenBSD
- fix race in amarchive reader
- fix amflush (flush date selected by user)
- fix local auth, use getaddrinfo to find if the host is local
- fix dumper cancelling the shm_ring with a STRANGE result
- fix chunker hang
- Improve taperscan with chg-single and interactivity
View more available versions
Amanda Web Pages
- Amanda wiki
- Backup & Recovery (O’Reilly 2007) has a chapter dedicated to Amanda.
Last updated: $Date: 2017-09-28 21:37:44 $
Related news
Ubuntu Security Notice 5966-3 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update caused a regression and was reverted in USN-5966-2. This update provides security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
Ubuntu Security Notice 5966-2 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately it introduced a regression in GNUTAR-based backups. This update reverts all of the changes in amanda until a better fix is provided. Maher Azzouzi discovered an information disclosure vulnerability in the calcsize binary within amanda. calcsize is a suid binary owned by root that could possibly be used by a malicious local attacker to expose sensitive file system information.
Ubuntu Security Notice 5966-1 - Maher Azzouzi discovered an information disclosure vulnerability in the calcsize binary within amanda. calcsize is a suid binary owned by root that could possibly be used by a malicious local attacker to expose sensitive file system information. Maher Azzouzi discovered a privilege escalation vulnerability in the rundump binary within amanda. rundump is a suid binary owned by root that did not perform adequate sanitization of environment variables or commandline options and could possibly be used by a malicious local attacker to escalate privileges.