Headline
CVE-2021-27877: Security Advisory for Backup Exec version 21.2
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn’t yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
Revisions
- 1.0: March 1, 2021: Initial version
- 1.1: March 2, 2021: Added CVE IDs
Summary
Veritas Backup Exec version 21.2 includes fixes for three security issues.
Description
Issue
Description
Severity
1
Unauthorized user access
High
2
Arbitrary file access
High
3
Arbitrary command execution
High
Issue #1: Veritas Backup Exec Agent Unauthorized access with SHA authentication
Summary
Veritas has discovered an issue where Veritas Backup Exec could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.
- CVE ID: CVE-2021-27877
- CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Overall CVSS Score: 8.2 (High)
Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute privileged commands.
Affected Versions
Backup Exec versions 16.x, 20.x and 21.x are affected.
All agents on all platforms are affected.
Remediation
The issue has been fixed in Backup Exec 21.2 release.
Mitigation
If not applying a recommended remediation listed above, using an administrator account check for the following registry key.
“Software\Veritas\Backup Exec For Windows\Backup Exec\Engine\Agents\XBSA\Machine\DBAID”
If the registry key exists and the DBAID value is set to a non-zero value, no further action is required.
If the registry key does not exist, create the registry key of type string (REG_SZ) and set the value of DBAID to a random hexadecimal string of the form “UIBj_?@BNo8hjR;1RW>3L1h\onZ^acSJC`7^he<2S;l”. This will prevent an attacker from using the SHA authentication scheme.
Issue #2: Veritas Backup Exec Agent Arbitrary File Access
Summary
Veritas has discovered an issue where Veritas Backup Exec Agent could allow an attacker to specially craft input parameters on a data management protocol command to access an arbitrary file on the BE Agent machine.
- CVE ID: CVE-2021-27876
- CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Overall CVSS Score: 8.1 (High)
The communication between a client and a Veritas Backup Exec Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The issue is that an authenticated client could use specially crafted input parameters on one of the data management protocol commands to access an arbitrary file on the system using System privileges.
Affected Versions
Backup Exec versions 16.x, 20.x and BE 21.x are affected.
All agents on all platforms are affected.
Remediation
The SHA Authentication issue has been fixed in Backup Exec 21.2 release which remediates this issue.
Mitigation
Same mitigation as Issue #1 above applies to this issue.
Issue #3: Veritas Backup Exec Agent Arbitrary Command Execution
Summary
Veritas has discovered an issue where Veritas Backup Exec Agent could allow an attacker to use a data management protocol command to execute an arbitrary command on the BE Agent machine.
- CVE ID: CVE-2021-27878
- CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Overall CVSS Score: 8.8 (High)
The communication between a client and Veritas Backup Exec Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to vulnerability in SHA Authentication scheme, an attacker may be able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The issue is that an authenticated client could use one of the data management protocol commands to execute an arbitrary command on the system using system privileges.
Affected Versions
Backup Exec versions 16.x, 20.x and 21.x are affected.
All agents on all platforms are affected.
Remediation
The SHA Authentication issue has been fixed in Backup Exec 21.2 release which remediates this issue.
Mitigation
Same mitigation as Issue #1 above applies to this issue.
Acknowledgement
Veritas would like to thank Alexander Korotin and Sergey Andreev of Kaspersky Labs for notifying us of these vulnerabilities.
Related news
Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.