CVE-2023-30577
📋 TL;DR
CVE-2023-30577 is an argument injection vulnerability in AMANDA's runtar.c component that allows attackers to execute arbitrary commands. This affects AMANDA backup systems running vulnerable versions, potentially compromising backup integrity and system security. Organizations using AMANDA for network backups are at risk.
💻 Affected Systems
- AMANDA (Advanced Maryland Automatic Network Disk Archiver)
📦 What is this software?
Amanda by Zmanda
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with backup service privileges leading to full system compromise, data exfiltration, and lateral movement across the network.
Likely Case
Local privilege escalation or command injection allowing attackers to manipulate backup processes and access sensitive data.
If Mitigated
Limited impact with proper network segmentation and least privilege service accounts, potentially only affecting backup operations.
🎯 Exploit Status
Exploitation requires some level of access to trigger the vulnerable argument checking in runtar.c. This is a different vulnerability from CVE-2022-37705.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: tag-community-3.5.4 and later
Vendor Advisory: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3
Restart Required: Yes
Instructions:
1. Download AMANDA version tag-community-3.5.4 or later from GitHub releases. 2. Stop AMANDA services. 3. Install the updated version following distribution-specific package management or compilation instructions. 4. Restart AMANDA services.
🔧 Temporary Workarounds
Network Segmentation
allIsolate AMANDA backup servers from critical systems and limit network access
Service Account Hardening
linuxRun AMANDA services with minimal privileges using dedicated service accounts
sudo useradd -r -s /bin/false amanda_user
sudo chown -R amanda_user:amanda_user /var/lib/amanda
🧯 If You Can't Patch
- Implement strict network access controls to limit who can communicate with AMANDA services
- Monitor AMANDA processes and logs for suspicious activity or unexpected command execution
🔍 How to Verify
Check if Vulnerable:
Check AMANDA version: amadmin version or check package version via distribution package managerCheck Version:
amadmin version 2>&1 | grep -i version || dpkg -l | grep amanda || rpm -qa | grep -i amandaVerify Fix Applied:
Confirm version is tag-community-3.5.4 or later and review release notes for CVE-2023-30577 fix📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in AMANDA logs
- Errors or warnings related to runtar.c argument processing
- Unexpected backup failures or anomalies
Network Indicators:
- Unusual network connections from AMANDA servers
- Suspicious outbound traffic patterns from backup systems
SIEM Query:
source="amanda.log" AND ("runtar" OR "argument" OR "injection") AND (error OR warning OR fail)🔗 References
- https://github.com/zmanda/amanda/releases/tag/tag-community-3.5.4
- https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3
- https://lists.debian.org/debian-lts-announce/2023/12/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OITHG7FBD7HQRX2XT75GSGWB3D6XSZU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YYGJJARVLRBMNWSNXKZBXZNX3M53OVPA/
- https://github.com/zmanda/amanda/releases/tag/tag-community-3.5.4
- https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3
- https://lists.debian.org/debian-lts-announce/2023/12/msg00003.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OITHG7FBD7HQRX2XT75GSGWB3D6XSZU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YYGJJARVLRBMNWSNXKZBXZNX3M53OVPA/
