cbcvebase.
CVE-2021-27878
published 2021-03-01

CVE-2021-27878: An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is…

PriorityP194high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-04-28
Exploited in the wild
EPSS
23.95%
97.6th percentile
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
veritasbackup_exec< 21.221.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb
  • Monitor for exploitation of the SHA authentication scheme against Veritas Backup Exec Agent; successful auth via SHA should be treated as suspicious since this scheme is no longer used within current Backup Exec versions but was not disabled.
  • Alert on arbitrary OS command execution originating from the Backup Exec Agent process running as NT AUTHORITY\SYSTEM (Windows) or root (Linux/Unix), as this is the expected post-exploitation privilege level.
  • Detect use of data management protocol commands on an authenticated Backup Exec Agent connection, particularly commands that spawn child processes, as the attacker leverages these post-authentication to achieve RCE.
  • Flag Veritas Backup Exec Agent versions 16.x, 20.x, and 21.x up to 21.2 (Remote Agent revision 9.3 and below) as vulnerable targets in asset inventory and network scanning.
  • ·The SHA authentication scheme is the vulnerable attack vector; it is no longer functionally used by current Backup Exec versions but was not disabled prior to 21.2, meaning it remains exploitable on unpatched agents even if SHA auth is not actively configured by administrators.
  • ·Exploitation occurs over the standard Backup Exec Agent communication channel (typically TLS), meaning malicious traffic may blend with legitimate backup traffic and evade inspection unless SHA auth handshakes are specifically monitored.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.