Revisions

  • 1.0: March 1, 2021: Initial version
  • 1.1: March 2, 2021: Added CVE IDs

Summary

Veritas Backup Exec version 21.2 includes fixes for three security issues.

Description

Issue Description Severity

1

Unauthorized user access

High

2

Arbitrary file access

High

3

Arbitrary command execution

High

Issue #1: Veritas Backup Exec Agent Unauthorized access with SHA authentication

Summary

Veritas has discovered an issue where Veritas Backup Exec could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.

  • CVE ID: CVE-2021-27877
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
  • Overall CVSS Score: 8.2 (High)

Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute privileged commands.

Affected Versions

Backup Exec versions 16.x, 20.x and 21.x are affected.

All agents on all platforms are affected.

Remediation

The issue has been fixed in Backup Exec 21.2 release.

Mitigation

If not applying a recommended remediation listed above, using an administrator account check for the following registry key.
"Software\Veritas\Backup Exec For Windows\Backup Exec\Engine\Agents\XBSA\Machine\DBAID"
If the registry key exists and the DBAID value is set to a non-zero value, no further action is required.
If the registry key does not exist, create the registry key of type string (REG_SZ) and set the value of DBAID to a random hexadecimal string of the form “UIBj_?@BNo8hjR;1RW>3L1h\onZ^acSJC`7^he<2S;l”. This will prevent an attacker from using the SHA authentication scheme.

Issue #2: Veritas Backup Exec Agent Arbitrary File Access

Summary

Veritas has discovered an issue where Veritas Backup Exec Agent could allow an attacker to specially craft input parameters on a data management protocol command to access an arbitrary file on the BE Agent machine.

  • CVE ID: CVE-2021-27876
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Overall CVSS Score: 8.1 (High)

The communication between a client and a Veritas Backup Exec Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The issue is that an authenticated client could use specially crafted input parameters on one of the data management protocol commands to access an arbitrary file on the system using System privileges.

Affected Versions

Backup Exec versions 16.x, 20.x and BE 21.x are affected.

All agents on all platforms are affected.

Remediation

The SHA Authentication issue has been fixed in Backup Exec 21.2 release which remediates this issue.

Mitigation

Same mitigation as Issue #1 above applies to this issue.

Issue #3: Veritas Backup Exec Agent Arbitrary Command Execution

Summary

Veritas has discovered an issue where Veritas Backup Exec Agent could allow an attacker to use a data management protocol command to execute an arbitrary command on the BE Agent machine.

  • CVE ID: CVE-2021-27878
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Overall CVSS Score: 8.8 (High)

The communication between a client and Veritas Backup Exec Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to vulnerability in SHA Authentication scheme, an attacker may be able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The issue is that an authenticated client could use one of the data management protocol commands to execute an arbitrary command on the system using system privileges.

Affected Versions

Backup Exec versions 16.x, 20.x and 21.x are affected.

All agents on all platforms are affected.

Remediation

The SHA Authentication issue has been fixed in Backup Exec 21.2 release which remediates this issue.

Mitigation

Same mitigation as Issue #1 above applies to this issue.

Questions

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support).

Acknowledgement

Veritas would like to thank Alexander Korotin and Sergey Andreev of Kaspersky Labs for notifying us of these vulnerabilities.