VTS23-011
NetBackup Snapshot Manager RabbitMQ Authentication Bypass Vulnerability
Revision History
- 1.0: July 26, 2023: Initial version
- 1.1: July 28, 2023: Updated Issue description
- 1.2: August 25, 2023: Added CVE ID
Summary
A vulnerability was discovered in Veritas NetBackup Snapshot Manager which allowed untrusted clients to interact with the RabbitMQ service. 
Issue
The vulnerability was caused by improper validation of the client certificate due to misconfiguration of the RabbitMQ service. Exploiting this vulnerability impacts the confidentiality and integrity of messages controlling the backup and restore jobs and could result in the service becoming unavailable. This vulnerability impacts only the jobs controlling the backup and restore activities and does not allow access or deletion of the backup snapshot data itself. This vulnerability is confined to the NetBackup Snapshot Manager feature and does not impact the RabbitMQ instance on the NetBackup primary servers.
- CVE ID: CVE-2023-40256
- Severity: Critical
- CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CWE: 295 - Improper Certificate Validation
Affected Versions
Veritas NetBackup Snapshot Manager Versions 8.3.0.1, 8.3.0.2, 9.0, 9.1, 9.1.0.1, 10.0, 10.0.0.1, 10.1, 10.1.1, 10.2. Earlier unsupported versions of the predecessor Veritas NetBackup CloudPoint application may be affected as well.
Remediation
Customers under a current maintenance contract should update to the NetBackup Snapshot Manager as described below:
- Upgrade to 10.2.0.1 (highly recommended)
- Deploy the 10.1.1 Hotfix (upgrade to 10.1.1 is a pre-requisite)
- Deploy the 10.0.0.1 Hotfix (upgrade to 10.0.0.1 is a pre-requisite)
See the Veritas Download Center for available updates: https://www.veritas.com/support/en_US/downloads
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)
Acknowledgement
Veritas would like to thank Palindrome Technologies for responsibly reporting this issue to us.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054