CVE-2020-8290 – This vulnerability allows local attackers to es... (How to Fix)

Q: What is the severity of CVE-2020-8290?

CVE-2020-8290 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to escalate privileges on systems running vulnerable Backblaze backup software. By exploiting improper permission handling in the bztransmit helper, attackers can place malicious update binaries that execute with elevated privileges. This affects Windows and macOS users running Backblaze versions before 7.0.0.439.

📋 TL;DR

This vulnerability allows local attackers to escalate privileges on systems running vulnerable Backblaze backup software. By exploiting improper permission handling in the bztransmit helper, attackers can place malicious update binaries that execute with elevated privileges. This affects Windows and macOS users running Backblaze versions before 7.0.0.439.

💻 Affected Systems

Products:

Backblaze for Windows
Backblaze for macOS

Versions: All versions before 7.0.0.439

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects standard installations of Backblaze backup software. The vulnerability is in the bztransmit helper component used for client updates.

📦 What is this software?

Backblaze by Backblaze

View all CVEs affecting Backblaze →

Backblaze by Backblaze

View all CVEs affecting Backblaze →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains root/administrator access, installs persistent malware, steals all data, and uses the system as a foothold for lateral movement.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, access protected files, and maintain persistence on the compromised system.

🟢

If Mitigated

Limited impact with proper privilege separation, where attackers remain confined to user-level access without ability to escalate privileges.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Any compromised user account on a system with vulnerable Backblaze can escalate to root/administrator privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access to the system. Public proof-of-concept code is available on GitHub demonstrating the privilege escalation technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.0.439 and later

Vendor Advisory: https://www.backblaze.com/blog/backblaze-cloud-backup-release-7-0-0-439/

Restart Required: Yes

Instructions:

1. Open Backblaze application. 2. Check for updates in settings. 3. Install update to version 7.0.0.439 or later. 4. Restart the system to ensure all components are updated.

🔧 Temporary Workarounds

Disable Backblaze Service

all

Temporarily disable Backblaze service to prevent exploitation while planning permanent fix

Windows: sc stop BackblazeService
macOS: sudo launchctl unload /Library/LaunchDaemons/com.backblaze.bzserv.plist

Restrict bztransmit Permissions

all

Set restrictive permissions on bztransmit helper binary to prevent unauthorized execution

Windows: icacls "C:\Program Files (x86)\Backblaze\bztransmit.exe" /deny Everyone:(RX)
macOS: sudo chmod 700 /Library/Backblaze.bzpkg/bztransmit

🧯 If You Can't Patch

Uninstall Backblaze software completely from affected systems
Implement strict access controls to prevent local user compromise through other means

🔍 How to Verify

Check if Vulnerable:

Check Backblaze version in application settings or by examining installed version. Versions below 7.0.0.439 are vulnerable.

Check Version:

Windows: wmic product where name="Backblaze" get version
macOS: defaults read /Library/Backblaze.bzpkg/bzdata/bzinfo.xml | grep -i version

Verify Fix Applied:

Confirm Backblaze version is 7.0.0.439 or higher in application settings or via version check command.

📡 Detection & Monitoring

Log Indicators:

Unauthorized creation or modification of files in Backblaze update directories
Unexpected execution of bztransmit with elevated privileges
Suspicious process creation from Backblaze directories

Network Indicators:

Unusual outbound connections from Backblaze processes post-exploitation

SIEM Query:

Process creation where (parent_process contains 'bz' OR process_name contains 'bztransmit') AND integrity_level changed

📊 Metadata

CVE ID: CVE-2020-8290

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: December 27, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/geffner/CVE-2020-8290/blob/master/README.md Exploit,Third Party Advisory
https://hackerone.com/reports/818857 Permissions Required
https://youtu.be/OpC6neWd2aM Exploit,Third Party Advisory
https://github.com/geffner/CVE-2020-8290/blob/master/README.md Exploit,Third Party Advisory
https://hackerone.com/reports/818857 Permissions Required
https://youtu.be/OpC6neWd2aM Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8290, you might also want to check these: