Axcient Knowledge

●  Status of Axcient Services
Submit a Ticket View My Cases

    Axcient Knowledgebase  /  Axcient x360Recover  /  2024 Release Notes - x360Recover  /  Feb 24 - x360Recover 12.5.3

    Feb 24 - x360Recover 12.5.3

    Super Administrator

    Written By Tami Sutcliffe (Super Administrator)

    Updated at March 7th, 2024

    Release overview 

    x360Recover 12.5.3 is a security update. We thank Jonathan Brown and netGenius, Inc. for the detailed research and disclosure of this issue.

    The changes in this security update have been proactively applied to all active x360Recover systems, regardless of their current version, and all systems have been confirmed to no longer be vulnerable to the issues addressed in this update. All new deployments of x360Recover should use this version. Any new deployment of x360Recover that is made using an older version should immediately upgrade to this version.

    Summary of security updates

    Issue description: This version resolves a security configuration issue (identified by RB-12583) present on some appliance, private vault, and private GMP systems where the public key of an Axcient-issued SSH key was present in the authorized key list to allow SSH login for this key. The corresponding Axcient-issued private key was also in place with certain older or other deployed x360Recover systems, which could have used this key to login to other affected systems if they had network access to the system. There is no evidence of any exploitation of this issue.

    Scope: x360Recover appliance, private vault, and private GMP systems running versions 10.0 - 12.5.2 were affected. Backup agents and Axcient cloud systems were not vulnerable.

    Resolution: All active systems on any version have proactively had a security update applied to invalidate all forms of this key and completely resolve the vulnerability. Systems still on older versions have also had a security update applied to them so that they are secure. All active systems have proactively been confirmed by the Axcient security operations team to no longer be vulnerable to this issue. All new deployments should use version 12.5.3. Any systems that were previously offline/inactive and are brought back online should be upgraded to version 12.5.3.

    Timeline:

    2024-02-14: Confidential disclosure received and confirmed receipt; analysis begins.
    2024-02-15: Vulnerability and root cause confirmed.
    2024-02-16: Fix released and update proactively applied to all systems (for any version).
    2024-02-16 - 2024-02-20: Security operations team validated that all active systems (on any version) have been updated and are no longer vulnerable.
    2024-02-21: Disclosure published and security advisory sent.

     



    SUPPORT | 720-204-4500 | 800-352-0248


    1727

    Related Articles

    Security Update: Log4J Vulnerability

    12/22/2021 Update   Dec 22 Update: BRC Appliance versions >= 10.4 hotfix We've...

    Q3 2023 release highlights: [video: 20 min]

    Axcient release highlights Q3  2023  This  20 minute video showcases the enhancem...

    Jan 2024 release notes

    January 2024 release notes x360Recover 12.5.1 - January 2024     x360Recover Agen...

    Q4 2023 release highlights [video: 23 min]

    Axcient release highlights Q4  2023  This  23 minute video showcases the enhancem...