CVE-2022-36617 Report

From: Sam Haskins
To: ██████████
Product: Arq Backup
Date: July 15th, 2022
Date of public disclosure: September 7th, 2022
Attachments:
arqbackup.zip


09/07/2019 Author's Note:
As of September 7th, 2022, CVE-2022-36617 has been patched with the release of Arq Backup 7.19.10.0 for Windows / 7.19.3 for macOS.

Hi Stefan,

First off, let me just say that I really like Arq Backup. I've been using it on my laptop for over a year now, and it fills its niche perfectly.

The vulnerability I discovered is that backup encryption passwords are stored locally in a reversibly encrypted way, which would allow malware running locally with administrative privileges to steal the user's password(s). I've included a proof of concept demo script of this in the attached zip file (password is "█████████").

Thankfully, this is pretty easy to fix. As Arq already derives the backup encryption key from the user's password with a slow key derivation function, it does not have to store the user's password—only the derived encryption key.

Note that is is not a problem to store other types of secrets (e.g. OAuth refresh tokens, etc.) in a reversibly encrypted way as they are not reused. In contrast, users will reuse passwords elsewhere, so compromise by an attacker grants access beyond that legitimately needed for Arq's normal operation.

I will be following the industry standard of responsible disclosure with this vulnerability, as elucidated in Google's policy. Your deadline is (July 14 + 90 days = ) October 12th, 2022.

Please notify me when you have successfully reproduced the vulnerability using my proof of concept, or if you have trouble doing so. Additionally, feel free to email me about any other matter in connection with my report; I'm here to help.

Thank you for your time.

Kind regards,
Sam Haskins


Timeline:
(America/Toronto time zone)
July 11th, 2022: Vulnerability discovered.
July 13th, 2022: Initial contact made with vendor via support email.
July 15th, 2022: Report submitted to vendor.
July 20th, 2022: Contacted by vendor president.
July 20-28, 2022: Vulnerability acknowledged by vendor.
July 21st, 2022: CVE requested.
August 10th, 2022: Notified by vendor that a patch was developed.
September 2nd, 2022: Assigned CVE-2022-36617.
September 6th, 2022: Patched version released.
September 7th, 2022: Report published.
October 12th, 2022: 90 days public disclosure deadline.