Veritas System Recovery Arbitrary File Creation Vulnerability

Revision History

• 1.0: May 07, 2024: Initial version
• 1.1: May 14, 2024: Added CVE ID
• 1.2: September 20, 2024: Version added to Affected Versions
• 1.3: September 26, 2024: Update Remediation plan

Summary

A vulnerability was discovered in the Veritas System Recovery 23.0 (23.0.2.63015), and prior.  Arbitrary file creation is a vulnerability that allows attacker with low privilege Windows system user to create file in arbitrary location within filesystem. This includes protected directories, such as C:\Windows, C:\windows\system32 and "C:\Program Files". In addition, Attacker could leverage this vulnerability to cause denial of service or tampering the important service (e.g., backup service) with low privilege user account.

Issue

CVE ID: CVE-2024-35204
Severity: High
CVSS v3.1 Base Score 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE-272: Least Privilege Violation

Prerequisites

When Veritas System Recovery service is running, it logs information into C:\ProgramData\Veritas\VERITAS SYSTEM RECOVERY\LOGS\Veritas System Recovery.log.txt file with NT Authority\System permission. The file is not exclusively opened, nor protected, and can be deleted at any time. The C:\ProgramData\Veritas\VERITAS SYSTEM RECOVERY\LOGS directory is modifiable by low privileged Windows system user, thus can be transformed into a directory junction and symbolic link.

Affected Versions

Veritas System Recovery versions 23.3, 23.2, 23.1, 23.0, 22.0, 21.3, 21.2, 21.1, 21.0 (Earlier unsupported versions of Veritas System Recovery may be affected as well)

Affected Software

The vulnerable service is Veritas System Recovery ("C:\Program Files\Veritas\Veritas System Recovery\Agent\VProSvc.exe")

Remediation

Customers under a current maintenance contract who are running in low privilege user mode should execute the script available from the Veritas Download Center under Updates section (Hotfix 860045) https://www.veritas.com/support/en_US/downloads.

For further information, refer to Veritas document:

• https://www.veritas.com/content/support/en_US/article.100065391

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054