SB2022030116 - Multiple vulnerabilities in Cobian Backup

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Untrusted search path (CVE-ID: N/A)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to an unquoted service path flaw in "C:\Program Files (x86)\Cobian Backup 11\cbService.exe". A local user can use a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Input validation error (CVE-ID: N/A)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Password field in the "Cobian Backup 11 Gravity User Interface". A local attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://packetstormsecurity.com/files/166157
• https://www.exploit-db.com/exploits/50791
• https://packetstormsecurity.com/files/166156
• https://www.exploit-db.com/exploits/50790