CVE-2020-37185
Denial of Service via Name Field Overflow in Backup Key Recovery
Publication date: 2026-02-11
Last updated on: 2026-02-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nsauditor | backup_key_recovery | 2.2.5 |
| nsauditor | backup_key_recovery | to 2.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2020-37185 is a denial of service vulnerability in Backup Key Recovery version 2.2.5 and earlier. It occurs due to improper handling of the 'Name' input field during the registration process, specifically a buffer overflow caused by accepting a 1000-character payload. When an attacker inputs this oversized payload into the registration name field, it overflows the buffer and crashes the application."}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can cause the Backup Key Recovery application to crash, resulting in a denial of service condition. An attacker can exploit this by providing a specially crafted input to the 'Name' field during registration, causing the application to become unavailable until restarted. This disrupts normal use of the software but does not lead to data compromise or privilege escalation."}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to reproduce the denial of service condition on the Backup Key Recovery application version 2.2.5 or earlier. Specifically, an attacker or tester can generate a payload of 1000 characters and input it into the 'Name' field during the registration process to see if the application crashes."}, {'type': 'paragraph', 'content': 'A proof-of-concept Python script is available that generates a payload of 1000 "A" characters saved to a file named "poc.txt". The contents of this file can then be pasted into the registration name field to trigger the crash.'}, {'type': 'paragraph', 'content': 'There are no specific network commands to detect this vulnerability since it is triggered locally via user interaction in the application.'}, {'type': 'paragraph', 'content': 'Suggested steps to test detection:'}, {'type': 'list_item', 'content': 'Run the provided Python script from the exploit-db resource to generate the payload file.'}, {'type': 'list_item', 'content': 'Open Backup Key Recovery 2.2.5 and navigate to the registration dialog.'}, {'type': 'list_item', 'content': "Paste the contents of the payload file into the 'Name' input field."}, {'type': 'list_item', 'content': 'Submit the registration form and observe if the application crashes, indicating the vulnerability is present.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding the input of excessively long strings (such as 1000 characters) into the 'Name' field during registration in Backup Key Recovery version 2.2.5 or earlier."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local user interaction, restricting access to the application and limiting who can perform registration actions can reduce risk.'}, {'type': 'paragraph', 'content': 'If possible, upgrade to a version of Backup Key Recovery that has addressed this buffer overflow vulnerability or apply any patches provided by the vendor.'}, {'type': 'paragraph', 'content': 'Monitor for application crashes related to the registration process as an indicator of attempted exploitation.'}] [1]