#VU42678 Permissions, Privileges, and Access Controls in Backup Exec - CVE-2013-4677

Cybersecurity Help s.r.o.

Published: 2013-08-05 | Updated: 2020-08-11

Vulnerability identifier: #VU42678

Vulnerability risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-4677

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Backup Exec
Client/Desktop applications / Multimedia software

Vendor: Veritas Technologies

Description

The vulnerability allows a local #AU# to read and manipulate data.

Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 uses weak permissions (Everyone: Read and Everyone: Change) for backup data files, which allows local users to obtain sensitive information or modify the outcome of a restore via direct access to these files.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Backup Exec: 2010_r3 - 2012

External links
https://osvdb.org/95939
https://www.securityfocus.com/bid/61487
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130801_00

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Backup Exec