Revisions

1.0: May 10, 2017: Initial release
1.1: May 10, 2017: Added CVE
1.2: May 12, 2017: Corrected that an attacker does not need to be authenticated to exploit this vulnerability.
1.3: July 6, 2017: Corrected specific versions of Backup Exec 14 that are affected.

Summary

Use-after-free vulnerability in Veritas Backup Exec agents can lead to a denial of service or remote code execution.

Issue Description Severity Fixed Version

1

Use-after-free vulnerability in multiple Backup Exec agents

Critical

Backup Exec 16 FP1,
Backup Exec 15 14.2.1180.3160,
Backup Exec 2014 14.1.1786.1126

 

Issues

Issue #1

Use-after-free vulnerability in multiple Bacdkup Exec agents

CVE ID: CVE-2017-8895
Severity: Critical
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

There is a use-after-free vulnerability in multiple Veritas Backup Exec agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.

The affected agents are:

  • Backup Exec Agent for Windows
  • Backup Exec Agent for Linux
  • Backup Exec Agent for Mac

 

Affected Products

  • Backup Exec 16 before FP1 (16.0.1142.1327)
  • Backup Exec 15 before 14.2.1180.3160
  • Backup Exec 2014 before 14.1.1786.1126

 

Questions

If you have any questions about any information in this security advisory please contact Veritas technical support.

 

References

 

Acknowledgement

Veritas would like to thank Matthew Daley for reporting this vulnerability.

 

Best Practices

As part of normal best practices, Veritas recommends that customers:

  • Restrict access of administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
500 East Middlefield Road
Mountain View, CA 94043

http://www.veritas.com/

 

© 2017 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.