CVE-2019-18780 – An unauthenticated remote attacker can execute ... (How to Fix)

Q: What is the severity of CVE-2019-18780?

CVE-2019-18780 has a CVSS score of 9.8 (CRITICAL). An unauthenticated remote attacker can execute arbitrary commands with root/administrator privileges on Veritas InfoScale Cluster Server components. This affects multiple Veritas products including Access, Flex Appliance, InfoScale, VCS, and SFHA across Linux/UNIX and Windows platforms.

📋 TL;DR

An unauthenticated remote attacker can execute arbitrary commands with root/administrator privileges on Veritas InfoScale Cluster Server components. This affects multiple Veritas products including Access, Flex Appliance, InfoScale, VCS, and SFHA across Linux/UNIX and Windows platforms.

💻 Affected Systems

Products:

Veritas Access
Veritas Access Appliance
Veritas Flex Appliance
Veritas InfoScale
Veritas Cluster Server (VCS)
Storage Foundation HA (SFHA)

Versions: Access 7.4.2 and earlier, Access Appliance 7.4.2 and earlier, Flex Appliance 1.2 and earlier, InfoScale 7.3.1 and earlier, InfoScale 7.4.0-7.4.1, VCS 6.2.1 and earlier on Linux/UNIX, VCS 6.1 and earlier on Windows, SFHA 6.2.1 and earlier on Linux/UNIX, SFHA 6.1 and earlier on Windows

Operating Systems: Linux, UNIX, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The Cluster Server component must be enabled/installed.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root/administrator access, allowing data theft, ransomware deployment, or persistent backdoor installation across the entire cluster.

🟠

Likely Case

Remote code execution leading to data exfiltration, service disruption, or lateral movement within the network.

🟢

If Mitigated

Limited impact if systems are isolated behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS 9.8 indicates trivial exploitation with no authentication required. While no public PoC is confirmed, the high score suggests weaponization is likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches per vendor advisories: VTS19-003, VTS19-004, VTS19-005, VTS19-006

Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS19-003

Restart Required: Yes

Instructions:

1. Review specific VTS advisory for your product. 2. Download appropriate patch from Veritas support portal. 3. Apply patch following vendor instructions. 4. Restart affected services/cluster components.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Cluster Server ports (default 1850/tcp, 1851/tcp) using firewalls.

iptables -A INPUT -p tcp --dport 1850 -j DROP
iptables -A INPUT -p tcp --dport 1851 -j DROP

Windows Firewall Rule

windows

Block Cluster Server ports on Windows systems.

New-NetFirewallRule -DisplayName "Block VCS Ports" -Direction Inbound -LocalPort 1850,1851 -Protocol TCP -Action Block

🧯 If You Can't Patch

Isolate affected systems from internet and untrusted networks
Implement strict network segmentation and monitor for suspicious connections to Cluster Server ports

🔍 How to Verify

Check if Vulnerable:

Check installed Veritas product version against affected versions list. Verify Cluster Server service is running.

Check Version:

On UNIX/Linux: 'vxlicrep' or 'hastatus -sum'. On Windows: Check Programs and Features or Veritas management console.

Verify Fix Applied:

Verify patch installation via vendor tools (e.g., 'vxlicrep' on UNIX/Linux) and confirm version is updated beyond vulnerable ranges.

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from Cluster Server components
Authentication failures or unusual connections to port 1850/1851
Commands with suspicious arguments in system logs

Network Indicators:

Unusual outbound connections from Cluster Server hosts
Exploit attempts to port 1850/1851
Unexpected network traffic patterns from affected systems

SIEM Query:

source="*veritas*" OR dest_port=1850 OR dest_port=1851 AND (process_execution="*cmd*" OR process_execution="*sh*" OR process_execution="*powershell*")

📊 Metadata

CVE ID: CVE-2019-18780

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: November 5, 2019

Last Updated: November 21, 2024

🔗 References

https://www.veritas.com/content/support/en_US/security/VTS19-003 Patch,Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-004 Patch,Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-005 Patch,Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-006 Patch,Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-003 Patch,Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-004 Patch,Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-005 Patch,Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-006 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18780, you might also want to check these: