Exploitalert - Database of Exploits

Veritas Backup Exec Remote Agent For Windows Use-After-Free

CVE	Category	Price	Severity
CVE-2020-1914	CWE-416	$10,000	High

Author	Risk	Exploitation Type	Date
Nick Tyrer	High	remote	2017-05-28

CPE
cpe:cpe:/a:veritas:backup_exec_remote_agent_for_windows

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2017050199

Veritas Backup Exec Remote Agent For Windows Use-After-FreeAffected software: Veritas (previously Symantec) Backup Exec Remote Agent for Windows Affected versions: All versions before Backup Exec 16 FP1, Backup Exec 15 14.2.1180.3160, Backup Exec 2014 14.1.1187.1126 Vulnerability type: Use-after-free Impact: Unauthenticated remote code execution as SYSTEM user Solution: Install the latest version across all hosts with the agent installed Website: https://www.veritas.com/product/backup-and-recovery/backup-exec Vendor disclosure: https://www.veritas.com/content/support/en_US/security/VTS17-006.html Summary: The Backup Exec Remote Agent for Windows is vulnerable to a use-after-free in its handling of SSL/TLS-wrapped NDMP connections. If SSL/TLS is established on a NDMP connection, ended, and finally re-established, the agent will re-use previously freed SSL/TLS structures. This allows for remote code execution over an unauthenticated network connection. (Note: the requirement for authentication given in the MITRE CVE description is incorrect; no authentication is required.) Detail: The agent accepts NDMP connections on TCP port 10000. The vendor-specific `0xF383` NDMP packet type allows for NDMP connections to be wrapped in a SSL/TLS session. Sub-type `4` initiates the SSL/TLS handshake; after successfully completing this the client and server continue the NDMP session through the SSL/TLS session. The agent makes use of OpenSSL to handle these SSL/TLS sessions. When a SSL/TLS session is created, the agent creates necessary OpenSSL structures, including a `struct BIO` from the connection's associated network socket using `BIO_new_socket`. Upon the end of the SSL/TLS session, this structure is freed by a call to `BIO_free` through a call to `SSL_free`. However, if a SSL/TLS connection is then re-established on the same NDMP connection, the previously freed `BIO` is re-used in the new SSL/TLS session even though it is no longer allocated. The `BIO` is stored during the first connection setup and then retrieved during second connection setup as a member of the `CSecuritySSLConnection` class, despite the call to `SSL_free` previously freeing it. This leads to a use-after-free as the `BIO` contains a pointer to a structure (`BIO_METHOD *method`) of function pointers that are used to perform operations such as reading and writing from the wrapped `BIO` object (in this case, the network socket). By overwriting the previously allocated `BIO` with controlled data, it is possible to gain remote code execution when OpenSSL attempts to call one of these function pointers. - Matthew Daley

Impressum