ZERTO FIELD NOTICE FTN- 20190718: ZERTO “FROM AWS” SECURITY VULNERABILITY AND PATCH NOTIFICATION

Article number

000004355

Affected Versions

All

ZERTO FIELD NOTICE FTN- 20190718: ZERTO “FROM AWS” SECURITY VULNERABILITY AND PATCH NOTIFICATION

Viewed 34 times

Notice

Date: 7/18/2019

Field Technical Notice: FTN-20190718

Zerto Versions Affected:

6.0, 6.0U1, 6.0U2, 6.0U3 and 6.0U4
6.5, 6.5U1, 6.5U2, 6.5U3
7.0

Description

With the introduction of Zerto 6.0, Zerto implemented a new functionality for reverse-protection and failback from Amazon Web Services (AWS) environments. The new modules are:

Zerto AWS Snapshot Adapter (zASA): This is a snapshots lifecycle manager that returns the entire disk for syncing. The zASA is an EC2 instance that is created once the system detects there is a VPG for protected workloads in AWS. The zASA instance remains up and running as long as a VPG exists and the ZCA is installed.
Zerto Satellite (zSATS): Scale-out solution with EC2 instances for reading data on protected EBS disks. The zSAT is an EC2 instance for reading data from the EBS disk that is created from the snapshot of the protected EBS disk. Once that disk is read, the snapshot, EBS disk and zSAT instance from the previous sync are deleted.

A security vulnerability was discovered in the AWS Security Group setting which allows external parties to access zASA and zSATS via specially crafted API calls.

Background

The issue has been identified within the Zerto internal testing labs. No public exploits have been identified.

Actions to take

Zerto recommends that customers who have active VPGs from AWS to other sites, typically by leveraging Zerto reverse-replication from AWS and/or failback from AWS, upgrade to Zerto Virtual Replication 6.5 U4 or Zerto 7.0 U1. Upon upgrade, Zerto will restart all zASA and zSAT AWS instances under the proper security group setting which allows connectivity only within the security group of the instances where Zerto is installed.