SB2021030327 - Multiple vulnerabilities in Veritas Backup Exec

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2021-27876)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to an error in SHA Authentication scheme. A remote user can use specially crafted input parameters on one of the data management protocol commands to access an arbitrary file on the system using System privileges.

2) Improper Authentication (CVE-ID: CVE-2021-27877)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an usage of obsolete however not disabled SHA authentication scheme. A remote non-authenticated attacker can use the SHA authentication scheme to gain unauthorized access to the BE Agent and execute privileged commands on the system.

3) Improper Authentication (CVE-ID: CVE-2021-27878)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to an error in the SHA Authentication scheme. A remote user can use one of the data management protocol commands to execute an arbitrary command on the system using system privileges.

Remediation

Install update from vendor's website.

References

• https://www.veritas.com/content/support/en_US/security/VTS21-001#issue2
• https://www.veritas.com/content/support/en_US/security/VTS21-001