CVE-2019-3999 (insync client): What You Need to Know About the Druva inSync Windows Client OS Comman

The inSync Electron application is configured in such a way that a malicious local user can execute arbitrary NodeJS code in the context of theinSync client process. An attacker can accomplish this by launching inSync with a URL parameter pointing to an attacker-controlled HTML file containingNodeJS code.

Druva inSync client for Windows exposes a network service onTCP port 6064 on the local network interface. inSyncversions 6.6.3 and prior do not properly validateuser-supplied program paths in RPC type 5 messages, allowingexecution of arbitrary commands as SYSTEM. This module hasbeen tested successfully on inSync versions 6.5.2r99097 and6.6.3r102156 on Windows 7 SP1 (x64).

CVE-2019-3999 (insync client)

Druva inSync client for Windows exposes a network service on TCPport 6064 on the local network interface. inSync versions 6.6.3and prior do not properly validate user-supplied program pathsin RPC type 5 messages, allowing execution of arbitrary commandsas SYSTEM. 2ff7e9595c