Revisions
- 1.0: March 5, 2020: Initial version
Summary
Some versions of Veritas Backup Exec are affected by Microsoft Windows CryptoAPI vulnerability CVE-2020-0601.
| Issue | Description | Severity | Fixed version |
|---|---|---|---|
1 |
Some versions of Backup Exec are affected by Microsoft Windows CryptoAPI vulnerability CVE-2020-0601 that has to do with verifying ECC code signing certificates. |
Critical |
NA |
Issues
In January 2020 Microsoft published a security advisory for a critical issue in the Windows CryptoAPI which an attacker could exploit “by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.” There is one situation, during installation of a product update, when Backup Exec verifies signed code where if could be affected by this vulnerability.
Affected Versions
Backup Exec versions 20.5 and 20.6 are affected by this issue. All earlier, supported versions of Backup Exec are not affected.
Remediation
The only way to remediate the issue is to install the Windows update from Microsoft that fixes the vulnerability. There will be no update to Backup Exec to address this issue as this vulnerability is in Microsoft Windows, not Backup Exec.
Mitigations
Do not update Backup Exec on a system until the Windows update has been installed.
Users may continue to perform backups and restores on vulnerable systems without risking triggering the vulnerability.