CVE-2019-3476
📋 TL;DR
CVE-2019-3476 is a critical remote code execution vulnerability in Micro Focus Data Protector backup software. Attackers can execute arbitrary code on affected systems without authentication, potentially taking full control. Organizations running vulnerable versions of Data Protector are at risk.
💻 Affected Systems
- Micro Focus Data Protector
📦 What is this software?
Data Protector by Microfocus
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive backup data, pivot to other systems, and maintain persistent access.
Likely Case
Ransomware deployment, data exfiltration of backup archives, or installation of cryptocurrency miners on vulnerable servers.
If Mitigated
Limited impact with proper network segmentation, but still potential for lateral movement within the backup environment.
🎯 Exploit Status
Exploitation requires no authentication and has been weaponized in real attacks. The vulnerability is in the OmniBack protocol implementation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 10.04 or later
Vendor Advisory: https://softwaresupport.softwaregrp.com/doc/KM03337614
Restart Required: Yes
Instructions:
1. Download Data Protector 10.04 or later from Micro Focus support portal. 2. Backup current configuration. 3. Stop all Data Protector services. 4. Apply the update following vendor instructions. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Data Protector components using firewall rules
# Example iptables rule to restrict access to Data Protector ports
# iptables -A INPUT -p tcp --dport 5555 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 5555 -j DROP
Service Account Hardening
allRun Data Protector services with minimal privileges
# Windows: Configure service to run as dedicated low-privilege account
# Linux: Create dedicated user and group for Data Protector services
🧯 If You Can't Patch
- Immediately isolate vulnerable systems from internet and restrict internal network access
- Implement strict monitoring and alerting for suspicious activity on Data Protector systems
🔍 How to Verify
Check if Vulnerable:
Check Data Protector version via GUI (Help > About) or command line: dpversion on Linux/UNIX or check Windows Services for versionCheck Version:
dpversion (Linux/UNIX) or check Data Protector service properties in Windows ServicesVerify Fix Applied:
Verify version is 10.04 or later using dpversion command or GUI, and test backup/restore functionality📡 Detection & Monitoring
Log Indicators:
- Unusual connections to Data Protector ports (typically 5555)
- Suspicious process creation from Data Protector services
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- Unusual outbound connections from Data Protector servers
- Traffic to known malicious IPs from backup systems
- Anomalous protocol patterns on OmniBack port
SIEM Query:
source="dataprotector.log" AND ("unauthorized access" OR "failed authentication" OR "suspicious connection") OR destination_port=5555 AND NOT source_ip IN [trusted_networks]