Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-27878: Security Advisory for Backup Exec version 21.2

An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.

CVE
#vulnerability#mac#windows#auth#ssl

Revisions

  • 1.0: March 1, 2021: Initial version
  • 1.1: March 2, 2021: Added CVE IDs

Summary

Veritas Backup Exec version 21.2 includes fixes for three security issues.

Description

Issue

Description

Severity

1

Unauthorized user access

High

2

Arbitrary file access

High

3

Arbitrary command execution

High

Issue #1: Veritas Backup Exec Agent Unauthorized access with SHA authentication

Summary

Veritas has discovered an issue where Veritas Backup Exec could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.

  • CVE ID: CVE-2021-27877
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
  • Overall CVSS Score: 8.2 (High)

Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute privileged commands.

Affected Versions

Backup Exec versions 16.x, 20.x and 21.x are affected.

All agents on all platforms are affected.

Remediation

The issue has been fixed in Backup Exec 21.2 release.

Mitigation

If not applying a recommended remediation listed above, using an administrator account check for the following registry key.
“Software\Veritas\Backup Exec For Windows\Backup Exec\Engine\Agents\XBSA\Machine\DBAID”
If the registry key exists and the DBAID value is set to a non-zero value, no further action is required.
If the registry key does not exist, create the registry key of type string (REG_SZ) and set the value of DBAID to a random hexadecimal string of the form “UIBj_?@BNo8hjR;1RW>3L1h\onZ^acSJC`7^he<2S;l”. This will prevent an attacker from using the SHA authentication scheme.

Issue #2: Veritas Backup Exec Agent Arbitrary File Access

Summary

Veritas has discovered an issue where Veritas Backup Exec Agent could allow an attacker to specially craft input parameters on a data management protocol command to access an arbitrary file on the BE Agent machine.

  • CVE ID: CVE-2021-27876
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Overall CVSS Score: 8.1 (High)

The communication between a client and a Veritas Backup Exec Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The issue is that an authenticated client could use specially crafted input parameters on one of the data management protocol commands to access an arbitrary file on the system using System privileges.

Affected Versions

Backup Exec versions 16.x, 20.x and BE 21.x are affected.

All agents on all platforms are affected.

Remediation

The SHA Authentication issue has been fixed in Backup Exec 21.2 release which remediates this issue.

Mitigation

Same mitigation as Issue #1 above applies to this issue.

Issue #3: Veritas Backup Exec Agent Arbitrary Command Execution

Summary

Veritas has discovered an issue where Veritas Backup Exec Agent could allow an attacker to use a data management protocol command to execute an arbitrary command on the BE Agent machine.

  • CVE ID: CVE-2021-27878
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Overall CVSS Score: 8.8 (High)

The communication between a client and Veritas Backup Exec Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to vulnerability in SHA Authentication scheme, an attacker may be able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The issue is that an authenticated client could use one of the data management protocol commands to execute an arbitrary command on the system using system privileges.

Affected Versions

Backup Exec versions 16.x, 20.x and 21.x are affected.

All agents on all platforms are affected.

Remediation

The SHA Authentication issue has been fixed in Backup Exec 21.2 release which remediates this issue.

Mitigation

Same mitigation as Issue #1 above applies to this issue.

Acknowledgement

Veritas would like to thank Alexander Korotin and Sergey Andreev of Kaspersky Labs for notifying us of these vulnerabilities.

Related news

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands

CVE-2021-27877: Security Advisory for Backup Exec version 21.2

An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.

CVE-2021-27876: Security Advisory for Backup Exec version 21.2

An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. By using crafted input parameters in one of these commands, an attacker can access an arbitrary file on the system using System privileges.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907