VTS22-004
HotFix for Security Advisory Impacting NetBackup – Primary/Media Server
Revision History
- 1.0: July 18: Initial Release
Summary
Veritas has addressed multiple security vulnerabilities impacting Veritas NetBackup, NetBackup Appliance, Flex Appliance, and Flex Scale. If you are at an earlier release of NetBackup, you will need to first upgrade to a version where a HotFix is available and then apply the appropriate HotFix. Table 2 of this advisory lists the high-level description. Click the Description hyperlink in Table 2 for more detail on each vulnerability.
Affected products/versions:
- NetBackup 8.1.x, 8.2, 8.3.x, 9.0.x, 9.1.x
- NetBackup Appliance/NetBackup Virtual Appliance 3.1.x, 3.2, 3.2 MRs, 3.3.0.1, 3.3.0.x MRs, 4.0, 4.0.0.1 MRs, 4.1, 4.1.0.1 MRs
- NetBackup 8.1.x, 8.2, 8.3.x, 9.0.x, 9.1.x Containers on Flex Appliance 1.3.x, 2.0, 2.0.x, 2.1
- Flex Scale 1.3.1, 2.1
HotFixes are available for the following NetBackup versions:
- NetBackup 8.1.2, 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, 9.1.0.1
Remedial Actions:
- Review Table 1 below to identify your current NetBackup Enterprise software version and follow the remediation steps to apply the HotFix, or upgrade to a version where a fix is available.
- To fix ALL issues listed below we recommend applying the HotFix to Primary servers as well as all Media servers. This HotFix may be safely applied to all NetBackup Media servers.
- Flex Appliance customers, please apply the NetBackup HotFix corresponding to the NetBackup Container version on Flex appliances.
- Flex Scale Appliance customers, please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.
Table 1. Affected Version and Remedial Steps
| NetBackup Version | NetBackup Appliance NetBackup Virtual Appliance | Remediation Steps |
|---|---|---|
| 8.1.2 | 3.1.2 | Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.1.2 and Appliance 3.1.2 Master and Media Server |
| 8.2 | 3.2, 3.2 MR1/MR2/MR3 | Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.2 and Appliance 3.2 Master and Media Server |
| 8.3.0.1 | 3.3.0.1 MR1/MR2 | Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.3.0.1 and Appliance 3.3.0.1 Primary and Media Servers |
| 8.3.0.2 | 3.3.0.2 MR1/MR2 | Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.3.0.2 and Appliance 3.3.0.2 Primary and Media Servers |
| 9.0.0.1 | 4.0.0.1 MR1/MR2/MR3 | Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 9.0.0.1 and Appliance 4.0.0.1 Primary and Media Server |
| 9.1.0.1 | 4.1.0.1 MR1/MR2 | Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 9.1.0.1 and Appliance 4.1.0.1 Primary and Media Server |
| Pre-8.1.2 |
Pre-3.1.2 | Upgrade to a newer version and apply NetBackup Hotfix if applicable |
| 8.3 | Upgrade to a newer version and apply NetBackup Hotfix if applicable | |
| 8.3.0.1 | 3.3.0.1, 3.3.0.1 MR1/MR2/MR3 | Upgrade to a newer version and apply NetBackup Hotfix if applicable |
| 9.0 | 4.0 | Upgrade to a newer version and apply NetBackup Hotfix if applicable |
| 9.1 | 4.1 | Upgrade to a newer version and apply NetBackup Hotfix if applicable |
| 10.0 | 5.0 | Not Impacted |
Table 2. Security Issues and Affected Products
| Issue # | Description | Severity | Affected products | Apply HotFix to: |
|---|---|---|---|---|
| C1 | Authenticated Conditional Remote Command Execution | Critical | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| C2 | Arbitrary File Write | Critical | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| H1 | Authenticated Remote Command Execution | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| H2 | Authenticated Remote Command Execution | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| H3 | Remote Command Execution | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| H4 | Arbitrary File Write | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| H5 |
Arbitrary File Write | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| H6 | Remote Command Execution | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers, Media Servers |
| H7 | Local Privilege Escalation | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers, Media Servers |
| H8 | Denial of Service | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| H9 | Arbitrary File Read | High | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| M1 | Arbitrary File Read | Medium | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| M2 | Arbitrary File Read | Medium | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| M3 | Denial of Service | Medium | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| M4 | Arbitrary File Read | Medium | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| M5 | Arbitrarily Create Directories | Medium | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
| M6 | Information Leakage | Medium | NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale | Primary Servers |
Critical Issues
Issue #C1
- Authenticated conditional remote command execution.
- CVE ID: CVE-2022-36992
- Severity: Critical
- CVSS v3.1 Base Score: 9.9 ( AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- An attacker with authenticated access to a NetBackup Client could remotely execute arbitrary commands on a NetBackup Primary server given specific notify conditions.
Issue #C2
- Arbitrary file write.
- CVE ID: CVE-2022-36990
- Severity: Critical
- CVSS v3.1 Base Score: 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H)
- An attacker with authenticated access to a NetBackup Client could remotely write arbitrary files to arbitrary locations from any Client to any other Client via a Primary server.
- Note: For this to occur it would require VxSS to be enabled on both the NetBackup Primary server as well as the attacker-controlled NetBackup client.
High Issues
Issue #H1
- Remote command execution.
- CVE ID: CVE-2022-36993
- Severity: High
- CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- An attacker with authenticated access to a NetBackup Client could remotely execute arbitrary commands on a NetBackup Primary server.
Issue #H2
- Remote command execution.
- CVE ID: CVE-2022-36989
- Severity: High
- CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- An attacker with authenticated access to a NetBackup Client could remotely execute arbitrary commands on a NetBackup Primary server.
Issue #H3
- Remote command execution.
- CVE ID: CVE-2022-36986
- Severity: High
- CVSS v3.1 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
- An attacker with unauthenticated access could remotely execute arbitrary commands on a NetBackup Primary server.
Issue #H4
- Arbitrary file write.
- CVE ID: CVE-2022-36987
- Severity: High
- CVSS v3.1 Base Score: 8.5 (/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
- An attacker with authenticated access to a NetBackup Client could arbitrarily write files to a NetBackup Primary server.
Issue #H5
- Arbitrary file write.
- CVE ID: CVE-2022-36991
- Severity: High
- CVSS v3.1 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
- An attacker with authenticated access to a NetBackup Client could arbitrarily write content to a partially controlled path on a NetBackup Primary server.
Issue #H6
- Remote command execution.
- CVE ID: CVE-2022-36988
- Severity: High
- CVSS v3.1 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
- An attacker with authenticated access to a NetBackup OpsCenter server, NetBackup Primary server or NetBackup Media server could remotely execute arbitrary commands on a NetBackup Primary server or NetBackup Media server.
Issue #H7
- Local privilege escalation.
- CVE ID: CVE-2022-36985
- Severity: High
- CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- An attacker with unprivileged local access to a Windows NetBackup Primary server could potentially escalate their privileges.
Issue #H8
- Denial of service.
- CVE ID: CVE-2022-36984
- Severity: High
- CVSS v3.1 Base Score: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
- An attacker with authenticated access to a NetBackup Client could remotely trigger a denial of service attack against a NetBackup Primary server.
Issue #H9
- Arbitrary file read.
- CVE ID: CVE-2022-36997
- Severity: High
- CVSS v3.1 Base Score: 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
- An attacker with authenticated access to a NetBackup Client could remotely trigger an arbitrary file read, Server-Side Request Forgery (SSRF), a denial of service, and potentially other impacts.
Medium Issues
Issue #M1
- Arbitrary file read.
- CVE ID: CVE-2022-37000
- Severity: Medium
- CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
- Under certain conditions, an attacker with authenticated access to a NetBackup Client could remotely read files on a NetBackup Primary server.
Issue #M2
- Arbitrary file read.
- CVE ID: CVE-2022-36999
- Severity: Medium
- CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
- Under certain conditions, an attacker with authenticated access to a NetBackup Client could remotely read files on a NetBackup Primary server.
Issue #M3
- Denial of service.
- CVE ID: CVE-2022-36998
- Severity: Medium
- CVSS v3.1 Base Score: 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H)
- An attacker with authenticated access to a NetBackup Client could remotely trigger a stack-based buffer overflow on the NetBackup Primary server, resulting in a denial of service.
Issue #M4
- Arbitrary file read.
- CVE ID: CVE-2022-36994
- Severity: Medium
- CVSS v3.1 Base Score: 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H)
- An attacker with authenticated access to a NetBackup Client could arbitrarily read files from a NetBackup Primary server.
Issue #M5
- Arbitrarily create directories.
- CVE ID: CVE-2022-36995
- Severity: Medium
- CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
- An attacker with authenticated access to a NetBackup Client could arbitrarily create directories on a NetBackup Primary server.
Issue #M6
- Information leakage.
- CVE ID: CVE-2022-36996
- Severity: Medium
- CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
- An attacker with access to a NetBackup Client could remotely gather information about any host known to a NetBackup Primary server.
Note
You may also use the NetBackup HotFix and EEB Release Auditor on SORT to check if a previous Emergency Engineering Binary (EEB) or HotFix was delivered in a released product version. This information is also available in the NetBackup Emergency Engineering Binary Guide for that version. If you do not see information related to a HotFix or an EEB you expected, please contact Veritas Technical Support.
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).
Acknowledgements
Veritas would like to thank the following Airbus Security Team members for notifying us about most of these issues: Mouad Abouhali, Benoit Camredon, Nicholas Devillers, Anais Gantet, and Jean-Romain Garnier.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054