Release overview - Feb 2024
x360Recover 12.5.3 is a security update. We thank Jonathan Brown and netGenius, Inc. for the detailed research and disclosure of this issue.
The changes in this security update have been proactively applied to all active x360Recover systems, regardless of their current version, and all systems have been confirmed to no longer be vulnerable to the issues addressed in this update. All new deployments of x360Recover should use this version. Any new deployment of x360Recover that is made using an older version should immediately upgrade to this version.
Summary of security updates
Issue description: This version resolves a security configuration issue (identified by RB-12583) present on some appliance, private vault, and private GMP systems where the public key of an Axcient-issued SSH key was present in the authorized key list to allow SSH login for this key. The corresponding Axcient-issued private key was also in place with certain older or other deployed x360Recover systems, which could have used this key to login to other affected systems if they had network access to the system. There is no evidence of any exploitation of this issue.
Scope: x360Recover appliance, private vault, and private GMP systems running versions 10.0 - 12.5.2 were affected. Backup agents and Axcient cloud systems were not vulnerable.
Resolution: All active systems on any version have proactively had a security update applied to invalidate all forms of this key and completely resolve the vulnerability. Systems still on older versions have also had a security update applied to them so that they are secure. All active systems have proactively been confirmed by the Axcient security operations team to no longer be vulnerable to this issue. All new deployments should use version 12.5.3. Any systems that were previously offline/inactive and are brought back online should be upgraded to version 12.5.3.
Timeline:
2024-02-14: Confidential disclosure received and confirmed receipt; analysis begins.
2024-02-15: Vulnerability and root cause confirmed.
2024-02-16: Fix released and update proactively applied to all systems (for any version).
2024-02-16 - 2024-02-20: Security operations team validated that all active systems (on any version) have been updated and are no longer vulnerable.
2024-02-21: Disclosure published and security advisory sent.
SUPPORT | 720-204-4500 | 800-352-0248
- Contact Axcient Support at https://partner.axcient.com/login or call 800-352-0248
- Have you tried our Support chat for quick questions?
- Free certification courses are available in the Axcient x360Portal under Training
- Sign up for free, live, one-on-one training to learn about Axcient products
- Subscribe to Axcient Status page for updates and scheduled maintenance
1727