Revisions
- 1.0: November 5, 2019, Initial release
- 1.1: November 5, 2019: Corrected information related to Access Appliance blocking port 14150
- 1.2: November 6, 2019, Added CVE ID, corrected links to patches, clarified affected versions
Summary
Arbitrary command injection vulnerability in the Veritas Access and Access Appliance.
Issue | Description | Severity |
---|---|---|
1 | Arbitrary command injection vulnerability in the Cluster Server component of Veritas InfoScale included in Veritas Flex Appliance allows an unauthenticated remote attacker to execute arbitrary commands as root. | Critical |
Issues
Issue #1
There is an arbitrary command injection vulnerability in the Cluster Server (VCS) component of Veritas InfoScale that is included in Veritas Access and Access Appliance. This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the host system or appliance as root, potentially allowing an attacker to take complete control of the system.
This issue could result in:
- The loss of data managed by the product.
- The loss of confidentiality of data managed by the product.
- The loss of data on other systems for which the product has stored credentials. The product encrypts these credentials, however an attacker would have access to the keys needed to decrypt them.
- The installation of malware or crypto-mining software on the host system.
Other undesirable outcomes are also possible.
CVE ID: CVE-2019-18780
Severity: Critical
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Affected Products
- Access 7.4.2 and earlier only if the customer has manually unblocked port 14150. The default configuration blocks that port and is therefore secure.
- Access Appliance before 7.4.2.100. Port 14150 is blocked starting with 7.4.2.100 and is therefore secure.
Mitigation
- This vulnerability can be mitigated by routing all traffic to the product through a firewall and having the firewall block all traffic on port 14150.
Remediation
- Patches are available for both Access and Access Appliance, 7.4.2 and 7.4.2.100. Customers with earlier versions need to either deploy the mitigation described above or to upgrade to 7.4.2 or 7.4.2.100 and then apply the patch.
Questions
If you have any questions about any information in this security advisory please contact Veritas technical support.
Best Practices
As part of normal best practices, Veritas recommends that customers:
- Restrict access of administration or management systems to privileged users.
- Restrict remote access, if required, to trusted/authorized systems only.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054
© 2019 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.