@kinafu reported a medium vulnerability in borg-cron-helper v1.0.0, introduced by 3a2dd076564195fc7c666b21994e8989195d3692, committed on 2017-09-13. Vulnerability write-up done by @rugk.
Impact
In the circumstances described below, the repo URL used to access a borg repo, was passed to STDOUT and may have been thus leaked via mail (when this is setup in cron) or in the log file.
The repo address usually is not sensitive information, but in some cases it could contain a server address, port or, if the user does not use ssh keys as recommend, even the login password, which should stay private.
Additionally in case your passphrase contained the string BORG_REPO it could also have been affected by this issue. This is, however, a very unlikely case.
Conditions
- v1.0.0 or newer (but older than the fixed version) has to be used.
BORG_REPO must be set, and correctly exported.
Steps to reproduce
- (optional) In the example config file you can enable
export BORG_PASSPHRASE (line 12 at the time of writing) and change the passphrase to "1234_BORG_REPO". You must not use BORG_PASSCOMMAND.
- Run
./borgcron_starter.sh.
What you see:
$ ./borgcron_starter.sh
export BORG_PASSPHRASE="1234_BORG_REPO"
export BORG_REPO="ssh://user@somewhere.example:22/./dir"
[…]
If you skipped step one, only the repo URL is shown.
Further information
Users, who had the string BORG_REPO, are advised to change their passphrase. (borg change-passphrase.
The reporter had accidentally also implemented a check for the exported passphrase (see this commit) and thus the passphrase was affected by this too and was exposed in the same way. This code, however, was never part of the upstream borg-cron-helper and thus borg-cron-helper was not affected by this issue. A vulnerability exposing the passphrase in such a way would have been a critical vulnerability.
Final statement
The vulnerability has been fixed in borg v1.0.1 released on 2017-09-03 with the commit ff9a723676c040897c17b497778df17f3f409f5f.
Additionally, this vulnerability shows that using BORG_PASSCOMMAND is advised and may prevent similar vulnerabilities like this one, in the helper scripts and in borg itself, in the future.
Timeline
2017-09-01 – Issue privately reported.
2017-09-01 – Preliminary assessment.
2017-09-02 – Reporter fixed issue in it's own fork by this commit.
2017-09-03 – @rugk reached to reporter explaining real impact and further process, sharing this write-up.
2017-09-03 – Fix published and version update released.
2017-09-03 – Advisory published.
2017-09-22 – Uprated vulnerability from "minor" to "medium" as a password may be visible in the repo URL.
@kinafu reported a medium vulnerability in borg-cron-helper v1.0.0, introduced by 3a2dd076564195fc7c666b21994e8989195d3692, committed on 2017-09-13. Vulnerability write-up done by @rugk.
Impact
In the circumstances described below, the repo URL used to access a borg repo, was passed to STDOUT and may have been thus leaked via mail (when this is setup in cron) or in the log file.
The repo address usually is not sensitive information, but in some cases it could contain a server address, port or, if the user does not use ssh keys as recommend, even the login password, which should stay private.
Additionally in case your passphrase contained the string
BORG_REPOit could also have been affected by this issue. This is, however, a very unlikely case.Conditions
BORG_REPOmust be set, and correctly exported.Steps to reproduce
export BORG_PASSPHRASE(line 12 at the time of writing) and change the passphrase to "1234_BORG_REPO". You must not useBORG_PASSCOMMAND../borgcron_starter.sh.What you see:
If you skipped step one, only the repo URL is shown.
Further information
Users, who had the string
BORG_REPO, are advised to change their passphrase. (borg change-passphrase.The reporter had accidentally also implemented a check for the exported passphrase (see this commit) and thus the passphrase was affected by this too and was exposed in the same way. This code, however, was never part of the upstream borg-cron-helper and thus borg-cron-helper was not affected by this issue. A vulnerability exposing the passphrase in such a way would have been a critical vulnerability.
Final statement
The vulnerability has been fixed in borg v1.0.1 released on 2017-09-03 with the commit ff9a723676c040897c17b497778df17f3f409f5f.
Additionally, this vulnerability shows that using
BORG_PASSCOMMANDis advised and may prevent similar vulnerabilities like this one, in the helper scripts and in borg itself, in the future.Timeline
2017-09-01 – Issue privately reported.
2017-09-01 – Preliminary assessment.
2017-09-02 – Reporter fixed issue in it's own fork by this commit.
2017-09-03 – @rugk reached to reporter explaining real impact and further process, sharing this write-up.
2017-09-03 – Fix published and version update released.
2017-09-03 – Advisory published.
2017-09-22 – Uprated vulnerability from "minor" to "medium" as a password may be visible in the repo URL.