CVE-2017-13707
📋 TL;DR
CVE-2017-13707 is a privilege escalation vulnerability in Replibit Backup Manager that allows authenticated attackers to gain root privileges by exploiting sudo misconfiguration. Attackers can use the vi editor through sudo to modify critical system files like /etc/passwd. This affects organizations using Replibit Backup Manager versions before 2017.08.04.
💻 Affected Systems
- Replibit Backup Manager
📦 What is this software?
Replibit by Axcient
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root access, allowing attackers to create new privileged accounts, install persistent backdoors, steal all data, and pivot to other systems.
Likely Case
Privileged attackers gaining full administrative control over the backup system, potentially compromising backup integrity and accessing sensitive backup data.
If Mitigated
Limited impact if proper sudo configuration and least privilege principles are enforced, restricting unauthorized sudo access.
🎯 Exploit Status
Exploitation is straightforward using sudo vi to spawn a root shell; public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2017.08.04
Vendor Advisory: https://github.com/Wh1t3Rh1n0/exploits/blob/master/2017-08-25%20Replibit%20Backup%20Manager/README.md
Restart Required: No
Instructions:
1. Update Replibit Backup Manager to version 2017.08.04 or later. 2. Verify sudo configuration no longer allows vi execution with elevated privileges. 3. Test backup functionality after update.
🔧 Temporary Workarounds
Restrict sudo vi access
linuxModify sudoers configuration to remove vi from allowed sudo commands for non-root users.
sudo visudo
Remove or comment out lines allowing vi execution with sudo
Implement least privilege sudo
linuxReview and restrict sudo permissions to only necessary commands for each user/group.
sudo visudo
Audit and modify sudoers file to follow least privilege principle
🧯 If You Can't Patch
- Implement strict access controls and monitor sudo usage
- Isolate vulnerable systems from critical network segments
🔍 How to Verify
Check if Vulnerable:
Check if sudo -l shows vi in allowed commands for non-root users and verify Replibit version is below 2017.08.04.Check Version:
Check Replibit version through management interface or package managerVerify Fix Applied:
Confirm sudo -l no longer shows vi in allowed commands and verify Replibit version is 2017.08.04 or higher.📡 Detection & Monitoring
Log Indicators:
- sudo vi execution in auth.log
- Unexpected modifications to /etc/passwd
- Unusual sudo command patterns
Network Indicators:
- Unusual SSH or management connections to backup system
SIEM Query:
source="auth.log" AND "sudo" AND "vi"