VTS23-003
Security Advisory Impacting NetBackup Servers and Clients
Revision History
- 1.0: March 14, 2023 – Initial Public Release
- 1.1: May 26, 2023 – Update to Affected Product Versions and Added Mitigation Information
Summary
Veritas has addressed a vulnerability impacting the NetBackup servers and clients.
Issue
Arbitrary File Write
BPCD allows an unprivileged user to create or modify an arbitrary file when executing a NetBackup command. This can be used to elevate privileges and compromise the system.
- CVE ID: CVE-2023-28758
- Severity: High
- CVSS v3.1 Base Score: 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
- Affected Product & Version:
- NetBackup primary server, media server, and clients – 8.2 and earlier.
- In environments where the primary and all media servers are at 8.3 or higher, primary and media servers are NOT vulnerable (See Table 1 below).
- Recommended Action:
- Preferred: Upgrade to version 8.3 or later.
Table 1. Am I Vulnerable?
| Primary | Media | Client >= 8.3 | Client < 8.3 | |
|---|---|---|---|---|
| All NetBackup servers and clients in environment at 8.3 and above | No | No | No | NA |
| All NetBackup servers in environment at 8.3 and above | No | No | No | Yes |
| NetBackup primary server at 8.3/8.3.0.1 & one or more media servers < 8.3 | Yes | Yes | Yes | Yes |
| versions < 8.3 | Yes | Yes | Yes | Yes |
Mitigation
Mitigation for environments with clients or media servers that are unable to upgrade to 8.3 or newer versions (perform both):
- Remove non-administrator access from all NetBackup servers. Users that are not system administrators or NetBackup administrators should not be able to log in (at the OS level) or execute commands on the NetBackup primary and media server.
- Review the SERVER and MEDIA_SERVER entries in the bp.conf/host properties and remove entries for systems that are not at NetBackup 8.3 or higher.
Notes
A best practice for all NetBackup environments is to review the SERVER and MEDIA_SERVER entries in bp.conf/host properties for each host and to remove entries for systems that no longer exist or do not communicate with this host. This follows the principle of least privilege to limit access to only those systems that need access.
This issue was addressed earlier but a Security Advisory was not generated at that time. NetBackup version 8.3 and later contain the fix and no action is necessary if you are on any of those releases.
Questions
For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054