Headline
CVE-2021-36665: Security Advisory for inSync Client 7.0.1 and before
An issue was discovered in Druva 6.9.0 for macOS, allows attackers to gain escalated local privileges via the inSyncUpgradeDaemon.
Advisory ID: Druva/DVSA-2022-001
Issue Date: 07-07-2022
Last Updated: 08-06-2021 (Initial Advisory)
Advisory Status: Final
Version: 1.0
Overall Severity Classification: High
**Summary **
The inSync Client versions were susceptible to vulnerabilities that could allow malicious users with user-level privileges to inject code and escalate privileges to root by chaining these flaws. These vulnerabilities cannot be exploited remotely and are exploitable only if the malicious user has user-level access to the device. Druva has released an inSync Client update that overcomes these vulnerabilities. Customers are strongly advised to upgrade to the latest version to remediate these vulnerabilities. See the customer action required section for more details.
Note: These vulnerabilities were identified, fixed, and communicated to customers (via email) in Aug 2021. The CVE IDs have been assigned on 16 May 2022.
Impact
Successful exploitation of these vulnerabilities could lead to Privilege escalation, command injection, arbitrary NodeJS code injection and unauthorized modification of data.
Affected products(s), version(s) and resolution
Product
CVE ID
Platform
Affected Versions
Fixed/updated version
inSync Client
CVE-2021-36665
Windows
All versions before v7.0.0
v7.0.0 and above
macOS
All versions before v7.0.0
v7.0.0 and above
CVE-2021-36666
CVE-2021-36667
macOS
All versions before v7.0.0
v7.0.0 and above
CVE-2021-36668
Windows
v7.0.0 and earlier versions
v7.0.1-r110201 and above
macOS
v7.0.0 and earlier versions
v7.0.1-r110206 and above
Linux
(Ubuntu only)
Linux: v5.9.2
v5.9.3 and above.
Customer action required
Upgrade the inSync Client to the latest installation version, which addresses all the CVE’s mentioned above:
Windows: v7.0.1-r110201 and above
Mac: v7.0.1-r110206 and above
Linux (Ubuntu): v5.9.3 and above.
Download the latest inSync Client here.
For upgrade instructions, see Upgrade the inSync Client.
Customers are advised to contact Support for technical assistance.
Vulnerabilities
CVE-2021-36665 - Insecure deserialization leading to arbitrary code execution
Insecure deserialization vulnerability in the inSyncUpgrade could allow an attacker with user-level privileges to execute arbitrary code and escalate privileges to root by supplying an upgrade package with a malicious signature.
CVE-2021-36666 - Code Injection via arbitrary dynamic library loading
Code injection vulnerability in Mac Client could allow an attacker with user-level privileges on the system to load random libraries and escalate privileges to root via DYLD_INSERT_LIBRARIES environment variable.
CVE-2021-36667 - OS Command Injection Vulnerability in local HTTP server
OS command injection vulnerability in Mac Client’s local HTTP server could allow an attacker with user-level privileges on the device to execute arbitrary OS commands as a non-root user.
CVE-2021-36668 - URL Injection in inSync Client
URL Injection vulnerability in inSync Electron UI could allow a local, authenticated attacker to execute arbitrary NodeJS code by manipulating a port number parameter.
Vulnerability details, CVSS Scoring and Metrics:
Vulnerability
CVE ID
CVSSv3
Base Score
CVSSv3.1 Vector
Severity
Platform
Insecure deserialization leading to arbitrary code execution
CVE-2021-36665
7.5
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
High
Windows, macOS
Code Injection via arbitrary dynamic library loading
CVE-2021-36666
7.5
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
High
macOS
OS Command Injection Vulnerability in local HTTP server
CVE-2021-36667
4.4
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Medium
macOS
URL Injection vulnerability in inSync App
CVE-2021-36668
5.3
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Medium
Windows, macOS, Linux (Ubuntu)
Acknowledgments
Druva would like to thank Mr. Oliver Grubin ([email protected]) for taking the effort to report these vulnerabilities by participating in coordinated and responsible disclosure.
References
Release Notes for inSync Client v7.0.0
Release Notes for inSync Client v7.1.0
Druva utilizes the Common Vulnerability Scoring System (CVSS) base score and metrics by the National Institute of Standards and Technology in the National Vulnerability Database. For more information on CVSS and score calculation system, see Common Vulnerability Scoring System: Specification Document.