Revisions

1.0: July 29, 2019: Initial release
1.1: July 30, 2019: Added CVE IDs
1.2: July 31, 2019: Corrected affected versions for all issues, corrected severity on issue #4

 

Summary

Multiple vulnerabilities in Veritas Resiliency Platform (VRP)

Issue Description Severity
1 Directory traversal vulnerability related to uploading application bundles Critical
2 Arbitrary command execution vulnerability with root privilege related to DNS server configuration High
3 Arbitrary command execution vulnerability with root privilege related to resiliency plans and custom scripts High
4 XSS vulnerability related to resiliency plans Medium

 

Issues

Issue #1

When uploading an application bundle, a directory traversal vulnerability allows a VRP user with sufficient privileges to overwrite any file in the VRP virtual machine. A malicious VRP user could use this to replace existing files to take control of the VRP virtual machine.

CVE ID: CVE-2019-14415
Severity: Critical
CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Affected Products

  • All versions before VRP 3.3.2 HF14

 

Issue #2

An arbitrary command execution vulnerability allows a malicious VRP user to execute commands with root privilege within the VRP virtual machine, related to DNS functionality.

CVE ID: CVE-2019-14416
Severity: High
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products

  • All versions before VRP 3.3.2 HF14

 

Issue #3

An arbitrary command execution vulnerability allows a malicious VRP user to execute commands with root privilege within the VRP virtual machine, related to resiliency plans and custom script functionality.

CVE ID: CVE-2019-14417
Severity: High
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products

  • All versions before VRP 3.3.2 HF14

 

Issue #4

A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user’s browser, related to resiliency plans functionality.

CVE ID: CVE-2019-14418
Severity: Medium
CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Affected Products

  • All versions before VRP 3.3.2 HF14

Questions

If you have any questions about any information in this security advisory please contact Veritas technical support.

 

Best Practices

As part of normal best practices, Veritas recommends that customers:

  • Restrict access of administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054

http://www.veritas.com/

 

© 2019 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.