Unauthorized Access Vulnerability in Veritas Backup Exec
CVE-2021-27876

8.1HIGH

Key Information:

Vendor: Veritas
Status: Backup Exec
Vendor: CVE Published:; 1 March 2021

Badges

💰 Ransomware👾 Exploit Exists🦅 CISA Reported

Summary

A vulnerability has been identified in Veritas Backup Exec versions prior to 21.2 that compromises secure communication between clients and agents. This flaw arises from weaknesses in the SHA Authentication scheme, allowing an unauthorized attacker to bypass authentication. Once exploited, the attacker can issue data management protocol commands using an authenticated connection. This may enable access to arbitrary files on the system with system-level privileges, presenting significant risks to data security and system integrity.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply updates per vendor instructions.

References

https://www.veritas.com/content/support/en_US/security/VT...

x_refsource_MISC

http://packetstormsecurity.com/files/168506/Veritas-Backu...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

💰
Used in Ransomware
Apr 7, 2023
👾
Exploit known to exist
Apr 7, 2023
🦅
CISA Reported
Apr 7, 2023
Vulnerability published
Mar 1, 2021
Vulnerability Reserved
Mar 1, 2021