PT-2020-20080 · Backblaze · Backblaze For Macos+1

Jason Geffner

Published

2020-12-27

Updated

2020-12-31

CVE-2020-8289

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Backblaze for Windows versions prior to 7.0.1.433 Backblaze for macOS versions prior to 7.0.1.434

Description The issue arises from improper certificate validation in the bztransmit helper, caused by a hardcoded whitelist of strings in URLs where validation is disabled. This could lead to possible remote code execution via client update functionality.

Recommendations For Backblaze for Windows versions prior to 7.0.1.433, update to version 7.0.1.433 or later. For Backblaze for macOS versions prior to 7.0.1.434, update to version 7.0.1.434 or later. As a temporary workaround, consider disabling the bztransmit helper until a patch is available.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2020-8289

Affected Products

Backblaze For Windows

Backblaze For Macos

PT-2020-20080 · Backblaze · Backblaze For Macos+1

CVE-2020-8289

Weakness Enumeration

Related Identifiers

Affected Products

References · 12