CVE-2021-38173 – CVE-2021-38173 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-38173?

CVE-2021-38173 has a CVSS score of 9.8 (CRITICAL). CVE-2021-38173 is a command injection vulnerability in Btrbk's SSH filtering script that allows authenticated remote users to execute arbitrary commands on the backup server. This affects systems using Btrbk with SSH key-based authentication for remote backups. Attackers with access to authorized SSH keys can bypass command restrictions and gain shell access.

📋 TL;DR

CVE-2021-38173 is a command injection vulnerability in Btrbk's SSH filtering script that allows authenticated remote users to execute arbitrary commands on the backup server. This affects systems using Btrbk with SSH key-based authentication for remote backups. Attackers with access to authorized SSH keys can bypass command restrictions and gain shell access.

💻 Affected Systems

Products:

Btrbk

Versions: All versions before 0.31.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Btrbk's ssh_filter_btrbk.sh script in authorized_keys for SSH command filtering.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the backup server leading to data theft, ransomware deployment, or lateral movement to other systems in the network.

🟠

Likely Case

Unauthorized command execution allowing attackers to read/modify backup data, install malware, or establish persistence on the backup server.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access controls are implemented, restricting the backup server's access to other systems.

🌐 Internet-Facing: HIGH if SSH port is exposed to the internet with vulnerable configurations.

🏢 Internal Only: HIGH as authenticated internal users or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to SSH keys configured with the vulnerable filtering script. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.31.2 and later

Vendor Advisory: https://github.com/digint/btrbk/blob/master/ChangeLog

Restart Required: No

Instructions:

1. Update Btrbk to version 0.31.2 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade btrbk. 3. For Fedora: sudo dnf update btrbk. 4. For manual installation: Download from GitHub and follow installation instructions.

🔧 Temporary Workarounds

Disable SSH key filtering

linux

Remove or disable the ssh_filter_btrbk.sh script from authorized_keys entries

Edit ~/.ssh/authorized_keys and remove 'command="ssh_filter_btrbk.sh"' from relevant entries

Restrict SSH access

linux

Limit SSH access to backup servers using firewall rules or network segmentation

sudo iptables -A INPUT -p tcp --dport 22 -s trusted_ip -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate backup servers from critical systems
Use alternative backup solutions until patching is possible and monitor for suspicious SSH activity

🔍 How to Verify

Check if Vulnerable:

Check if Btrbk version is below 0.31.2 and if ssh_filter_btrbk.sh is referenced in authorized_keys files

Check Version:

btrbk --version

Verify Fix Applied:

Verify Btrbk version is 0.31.2 or higher and review authorized_keys for proper command filtering

📡 Detection & Monitoring

Log Indicators:

Unusual SSH connections to backup servers
Unexpected command execution via SSH
Failed authentication attempts followed by successful connections

Network Indicators:

SSH traffic to backup servers from unexpected sources
Unusual outbound connections from backup servers

SIEM Query:

source="auth.log" AND "Accepted publickey" AND ("btrbk" OR "ssh_filter_btrbk")

📊 Metadata

CVE ID: CVE-2021-38173

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: August 7, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/digint/btrbk/blob/master/ChangeLog Release Notes,Third Party Advisory
https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00002.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP2T32JMENJFRP2HWXR7FTTZVRTTPECL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM7GLTUN5YS4KE2RNBX732EAMVVGNEX3/
https://github.com/digint/btrbk/blob/master/ChangeLog Release Notes,Third Party Advisory
https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00002.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP2T32JMENJFRP2HWXR7FTTZVRTTPECL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM7GLTUN5YS4KE2RNBX732EAMVVGNEX3/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38173, you might also want to check these: