Security
Headlines

Headline

CVE-2023-37237: Security Advisory Impacting NetBackup Appliance

In Veritas NetBackup Appliance before 4.1.0.1 MR3, insecure permissions may allow an authenticated Admin to bypass shell restrictions and execute arbitrary operating system commands via SSH.

Revision History

  • 1.0: March 23, 2023 – Initial Public Release

Summary

Veritas has addressed a vulnerability impacting the NetBackup Appliance.

Issue

Restricted Shell Escape

It is possible to bypass the command execution restrictions on an affected host to execute arbitrary operating system commands via SSH.

  • CVE ID: TBA
  • Severity: High
  • CVSS v3.1 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)
  • Affected Product & Version:
    • NetBackup Appliance – 4.1.0.1 MR2 and earlier.
  • Recommended action:
    • Upgrade NetBackup Appliance to version 4.1.0.1 MR3 or later.

Questions

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank Ben Leonard-Lagarde & Freddie Sibley-Calder of Modux for notifying us about this issue.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054

CVE: Latest News