Veritas Alta Recovery Vault Accelerated Delete Vulnerability

Revision History

• 1.0: May 1, 2024: Initial version
• 1.1: May 7, 2024: Added CVE ID

Summary

 A vulnerability was discovered in the Recovery Vault feature of Veritas NetBackup 10.3.0.1, and prior.  By design, only the cloud administrator should be able to disable the retention lock of Governance mode images.  This vulnerability allowed a NetBackup administrator to modify the expiration of backups under Governance mode which could cause premature deletion.

Issue

CVE ID: CVE-2024-34404
Severity: Medium
CVSS v3.1 Base Score 6.8   (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
CWE-284: Improper Access Control

Prerequisites

The NetBackup server has been configured to use Veritas Alta Recovery Vault (formerly known as NetBackup Recovery Vault) for cloud-based data retention services.  A user with the ‘NetBackup Administrator” role then accesses the NetBackup servers and performs the operation to modify the expiration of Governance mode images in the cloud storage.

Affected Versions

Veritas NetBackup versions 10.3.0.1, 10.3, 10.2.0.1, 10.2, 10.1.1, 10.1, 10.0.0.1, 10.0, 9.1.0.1
Veritas NetBackup Appliance versions 5.3.0.1, 5.3, 5.1.1, 5.0, 5.0.0.1, 4.1.0.1

Remediation

This vulnerability has already been remediated on all NetBackup Recovery Vault cloud endpoints.  Veritas NetBackup Recovery Vault customers who have installed the latest HotFix as described in the below TechNote do not need to take further actions. Customers who have not installed the latest HotFix must do so immediately for scheduled backups to continue.

For further information please reference the Veritas TechNote:

• https://www.veritas.com/support/en_US/article.100065322

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054