CVE-2023-28759: Hotfix for Security Advisory Impacting NetBackup Clients and Servers

Revision History

• 1.0: End of September 2022 – Initial Public Release
• 1.1: March 2023 – Added Issue #3

Summary

Veritas has addressed vulnerabilities affecting NetBackup servers and clients.

Issues

Issue #1: Arbitrary file delete

An attacker with local access can delete arbitrary files by leveraging a path traversal in the pbx_exchange registration code.

• CVE ID: CVE-2022-42308
• Severity: Critical
• CVSS v3.1 Base Score: 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)
• Affected Versions: 8.2 and earlier
• Recommended action:
  • NetBackup Servers: upgrade to 8.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
  • NetBackup Clients: upgrade to 8.2 or 8.1.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
  • NetBackup Appliance: upgrade to 3.2 and apply appropriate Hotfix OR upgrade to 3.3.x or later.
  • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
  • Flex Scale: Not impacted.

Issue #2: Denial of service

An attacker with local access can send a specially crafted packet to pbx_exchange during registration and cause a null-pointer exception effectively crashing the pbx_exchange process.

• CVE ID: CVE-2022-42306
• Severity: Medium
• CVSS v3.1 Base Score: 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
• Affected Versions: 8.2 and earlier
• Recommended action:
  • NetBackup Servers: upgrade to 8.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
  • NetBackup Clients: upgrade to 8.2 or 8.1.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
  • NetBackup Appliance: upgrade to 3.2 and apply appropriate Hotfix OR upgrade to 3.3.x or later.
  • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
  • Flex Scale: Not impacted.

Issue #3: Privilege Escalation

A vulnerability in the way NetBackup validates the path to a DLL prior to loading may allow a lower level user to elevate privileges and compromise the system.

• CVE ID: TBD
• Severity: High
• CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
• Impacted Components: Primary and Media Servers and Clients
• Affected Versions: Any prior to 10.0
• Recommended action:
  • NetBackup Primary & Media Servers and Clients: Upgrade to NetBackup 10.0 or later

Notes

This Security Advisory, VTS22-010, also addresses the issues identified in VTS22-008, which was released earlier. If you have not already applied VTS22-008, it is not necessary to apply it prior to installing this advisory. If you have already applied VTS22-008 you can safely apply VTS22-010 on top of it.

Questions

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank the following Airbus Security Team members for notifying us about issues 1 and 2: 
Mouad Abouhali, Benoît Camredon, Nicholas Devillers, Anaïs Gantet, and Jean-Romain Garnier.

Veritas would like the thank the Lockheed Martin Red Team for notifying us about Issue #3.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054