Revision History
- 1.0: December 23, 2020: Initial version
- 1.1: January 08, 2021: Added CVE IDs, updated Remediation and Mitigation sections
Summary
As part of our ongoing testing process Veritas has discovered issues where Veritas NetBackup and OpsCenter could allow an attacker to run arbitrary code with administrator privilege.
Issue #1
CVE ID: CVE-2020-36169
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
NetBackup processes using OpenSSL attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories on any drive. For example, C:\. If a low privileged user on the Windows system creates an affected path with a library that NetBackup attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.
This vulnerability affects NetBackup master servers, media servers, clients and OpsCenter servers on the Windows platform.
The system is vulnerable during an install or upgrade and post-install during normal NetBackup operations.
Issue #2
CVE ID: CVE-2020-36163
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
NetBackup processes using Strawberry Perl attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories under C:\. If a low privileged user on the Windows system creates an affected path with a library that NetBackup attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.
This vulnerability affects NetBackup master servers, media servers, clients and OpsCenter servers on the Windows platform.
The system is vulnerable during an install or upgrade on all systems and post-install on Master, Media and OpsCenter servers during normal NetBackup operations.
Affected Versions
NetBackup and OpsCenter versions 8.3.0.1 and earlier versions are affected.
The issue only affects the Windows platform.
CloudPoint: If using CloudPoint, please see detailed instructions provided in the Veritas CloudPoint Advisory.
Remediation
Customers under a current maintenance contract can download and install the NetBackup HotFix to fix the vulnerabilities for an already installed NetBackup master server, media server and client. Install the OpsCenter HotFix to fix the vulnerabilities for an already installed OpsCenter.
If you want to install or upgrade to an affected version of NetBackup or OpsCenter, follow the steps listed in the mitigation section prior to starting the install or upgrade. Note: This needs to be done even if you are upgrading from a version that has the HotFix already installed. Once the install or upgrade has completed, install the HotFix for the installed version of NetBackup/OpsCenter.
Recommended Actions:
NetBackup Version | Client | Media | Master | OpsCenter |
---|---|---|---|---|
9.0 and later |
N/A |
N/A |
N/A |
N/A |
8.3.0.1 |
HotFix |
HotFix |
HotFix |
HotFix |
8.3 |
HotFix |
HotFix |
HotFix |
HotFix |
8.2 |
HotFix |
HotFix |
HotFix |
HotFix |
8.1.2 |
HotFix |
HotFix |
HotFix |
HotFix |
8.1.1 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
8.1 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
8.0 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
7.7.3 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
NetBackup Version | Client | Media | Master | OpsCenter |
---|---|---|---|---|
9.0 and later |
N/A |
N/A |
N/A |
N/A |
8.3.0.1 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.3 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.2 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.1.2 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.1.1 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
8.1 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
NetBackup Version | Client | Media | Master | OpsCenter |
---|---|---|---|---|
9.0 and later |
N/A |
N/A |
N/A |
N/A |
8.3.0.1 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.3 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.2 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.1.2 |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
Workaround and HotFix |
8.1.1 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
8.1 |
Workaround only |
Workaround only |
Workaround only |
Workaround only |
Mitigation
NOTE: Veritas strongly recommends running version 9.0 or later or a HotFix'ed version.
-
Workaround
- This workaround will lower the risk until the HotFix is applied, if available, or the system is updated to version 9.0 or later.
- Securing Directories
- Using an administrator account create the directories listed below and set the ACL on the directory to deny write access to all other users.
- If the directories already exist and the ACLs allow write access to other users, you must update the ACLs to only allow write access by the administrator accounts
- These directories should not be deleted.
- \usr\local\ssl
- OS Installation Drive: For example, C:\usr\local\ssl
- NetBackup installation drive: For example, D:\usr\local\ssl
- C:\strawberry (8.1.2 and higher versions)
- C:\Temp\strawberry (8.1.1. and lower versions)
- For any NetBackup command, “cd” to the directory containing the NetBackup command before running it.
-
Existing Installation
- If HotFix is available
- Apply the HotFix or the installed version
- If HotFix is not available
- Apply the workaround steps listed above
-
New Installation
- If installing version 9.0 or later
- Perform the new Installation
- No future action is required
- If installing a version older than 9.0
- Apply the workaround steps listed above
- Perform the new installation
- If HotFix is available
- Apply the HotFix for the installed version
-
Upgrade Installation
- o If upgrading to version 9.0 or later
- Perform the upgrade
- The directories outlined in the workaround may be deleted.
- If upgrading to a version older than 9.0
- Apply the workaround steps listed above
- Must be done even if you are upgrading from a version that has the HotFix already installed
- Perform the upgrade
- If HotFix is available
- Apply the HotFix for the new version
One example of clearing the write permission for a non-administrator users:
Download Information
Note: These downloads address both vulnerabilities listed at the top of this document.
- HotFix
- OpenSSL Update Hotfixes for NetBackup 8.1.2
- NetBackup 8.1.2 - Upgrade of OpenSSL on Windows Master or Media Server (ET 4020525)
- https://www.veritas.com/support/en_US/downloads/update.UPD637939
- NetBackup 8.1.2 HotFix - Upgrade of OpenSSL on Windows Clients (ET 4021310)
- https://www.veritas.com/support/en_US/downloads/update.UPD748218
- NetBackup OpsCenter 8.1.2 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4021454)
- https://www.veritas.com/support/en_US/downloads/update.UPD471540
- OpenSSL Update Hotfixes for NetBackup 8.2
- NetBackup 8.2 HotFix - Upgrade of OpenSSL on Windows Master or Media Server (ET 4020077)
- https://www.veritas.com/support/en_US/downloads/update.UPD255190
- NetBackup 8.2 HotFix - Upgrade of OpenSSL on NetBackup Windows Clients (ET 4021217)
- https://www.veritas.com/support/en_US/downloads/update.UPD450754
- NetBackup OpsCenter 8.2 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4021453)
- https://www.veritas.com/support/en_US/downloads/update.UPD518556
- OpenSSL Update Hotfixes for NetBackup 8.3
- NetBackup 8.3 HotFix - Upgrade of OpenSSL on Windows Master or Media Server (ET 4021901)
- https://www.veritas.com/support/en_US/downloads/update.UPD475064
- NetBackup 8.3 HotFix - Upgrade of OpenSSL on Windows Clients (ET 4022116)
- https://www.veritas.com/support/en_US/downloads/update.UPD870749
- NetBackup OpsCenter 8.3 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4022185)
- https://www.veritas.com/support/en_US/downloads/update.UPD606869
- OpenSSL Update Hotfixes for NetBackup 8.3.0.1
- NetBackup 8.3.0.1 HotFix - Upgrade of OpenSSL on Windows Master or Media Server (ET 4019812)
- https://www.veritas.com/support/en_US/downloads/update.UPD793441
- NetBackup 8.3.0.1 HotFix - Upgrade of OpenSSL on Windows Clients (ET 4021146)
- https://www.veritas.com/support/en_US/downloads/update.UPD882155
- NetBackup OpsCenter 8.3.0.1 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4021447)
- https://www.veritas.com/support/en_US/downloads/update.UPD480348
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).