Article number
Affected Versions

FTN-20190718: Reverse Protection from AWS Security Vulnerability and Patch Notification

Viewed 626 times


With the introduction of Zerto 6.0, Zerto implemented a new functionality for reverse-protection and failback from Amazon Web Services (AWS) environments. The new modules are:
  • Zerto AWS Snapshot Adapter (zASA): This is a snapshots lifecycle manager that returns the entire disk for syncing. The zASA is an EC2 instance that is created once the system detects there is a VPG for protected workloads in AWS. The zASA instance remains up and running as long as a VPG exists and the ZCA is installed.
  • Zerto Satellite (zSATS): Scale-out solution with EC2 instances for reading data on protected EBS disks. The zSAT is an EC2 instance for reading data from the EBS disk that is created from the snapshot of the protected EBS disk. Once that disk is read, the snapshot, EBS disk and zSAT instance from the previous sync are deleted.
A security vulnerability was discovered in the AWS Security Group setting which allows external parties to access zASA and zSATS via specially crafted API calls.

Target Audience

All users using replication from AWS environment with the following Zerto versions: 6.0 (6.0U1, 6.0U2, 6.0U3 and 6.0U4), 6.5 (6.5U1, 6.5U2 and 6.5U3) and 7.0



The issue has been identified within the Zerto internal testing labs. No public exploits have been identified.

Actions to take

Zerto recommends that customers who have active VPGs from AWS to other sites, typically by leveraging Zerto reverse-replication from AWS and/or failback from AWS, upgrade to Zerto Virtual Replication 6.5 U4 or Zerto 7.0 U1. Upon upgrade, Zerto will restart all zASA and zSAT AWS instances under the proper security group setting which allows connectivity only within the security group of the instances where Zerto is installed.

See Also

AWS Enterprise Guidelines – Zerto Software:

AWS Installation Guide - Zerto Software:

AWS Administration Guide - Zerto Virtual Manager: