Login Sign Up

CVE-2017-15914

8.8 HIGH
Authentication Bypass

📋 TL;DR

CVE-2017-15914 is an access control bypass vulnerability in Borg backup servers that allows remote users to override repository restrictions. This affects Borg servers version 1.1.x before 1.1.3, potentially allowing unauthorized access to restricted backup repositories.

💻 Affected Systems

Products:
  • BorgBackup
Versions: 1.1.x before 1.1.3
Operating Systems: Linux, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Borg servers (borg serve) with repository access restrictions configured. Borg clients are not affected.

📦 What is this software?

Borg by Borgbackup

View all CVEs affecting Borg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers gain unauthorized access to sensitive backup data, potentially leading to data theft, data destruction, or ransomware deployment on backup repositories.

🟠

Likely Case

Unauthorized users access backup repositories they shouldn't have permission to view or modify, potentially exposing sensitive data or compromising backup integrity.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to authorized users within the same network segment.

🌐 Internet-Facing: HIGH - Borg servers exposed to the internet are directly vulnerable to remote exploitation without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to access unauthorized backup repositories.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in access control logic, making exploitation straightforward once identified. No authentication required for remote exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3

Vendor Advisory: http://borgbackup.readthedocs.io/en/stable/changes.html#version-1-1-3-2017-11-27

Restart Required: Yes

Instructions:

1. Stop all Borg server processes. 2. Update Borg using your package manager: 'pip install --upgrade borgbackup' or use system package manager. 3. Restart Borg server processes.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to Borg servers using firewall rules

iptables -A INPUT -p tcp --dport 22 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Disable Remote Access

all

Configure Borg to only accept local connections

borg serve --restrict-to-path /backup --restrict-to-repository /backup/repo

🧯 If You Can't Patch

  • Implement strict network access controls to limit Borg server exposure
  • Use SSH tunneling or VPN for all Borg server connections instead of direct network access

🔍 How to Verify

Check if Vulnerable:

Check Borg version: 'borg --version' should show version earlier than 1.1.3

Check Version:

borg --version

Verify Fix Applied:

After update, verify version is 1.1.3 or later: 'borg --version'

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized repository access attempts
  • Failed access control checks in Borg server logs

Network Indicators:

  • Unexpected Borg protocol traffic from unauthorized sources
  • Multiple repository enumeration attempts

SIEM Query:

source="borg" AND (event="access_denied" OR event="unauthorized_access")

📊 Metadata

CVE ID: CVE-2017-15914
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: February 8, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON