CVE-2020-37045
📋 TL;DR
CVE-2020-37045 is an unquoted service path vulnerability in Veritas NetBackup 7.0's INET Daemon service. This allows local attackers to place malicious executables in paths that Windows will execute with elevated LocalSystem privileges when the service starts. Only systems running the vulnerable NetBackup version with local access are affected.
💻 Affected Systems
- Veritas NetBackup
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with LocalSystem privileges, enabling complete control over the Windows system, credential theft, and lateral movement.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM-level access on the compromised host, potentially leading to persistence mechanisms and further network exploitation.
If Mitigated
Limited impact if proper access controls prevent local users from writing to affected directories and service restart monitoring is in place.
🎯 Exploit Status
Exploit requires local access to create malicious executables in unquoted path locations. Public exploit code exists on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Veritas advisory for specific patched versions
Vendor Advisory: https://www.veritas.com/
Restart Required: Yes
Instructions:
1. Check Veritas security advisory for specific patch. 2. Apply the official patch from Veritas. 3. Restart the NetBackup INET Daemon service. 4. Verify the service path is now properly quoted.
🔧 Temporary Workarounds
Add quotes to service path
windowsManually edit the service path in Windows Registry to include quotes around the full executable path
sc config "NetBackup INET Daemon" binPath= "\"C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe\""
Restrict directory permissions
windowsSet strict ACLs on parent directories to prevent unauthorized file creation
icacls "C:\Program Files\Veritas\NetBackup\bin" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls on C:\Program Files\Veritas\NetBackup\ and subdirectories to prevent unauthorized file creation
- Monitor for unexpected service restarts or file creation in NetBackup directories using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check if the NetBackup INET Daemon service path is unquoted: sc qc "NetBackup INET Daemon" | findstr BINARY_PATH_NAMECheck Version:
Check NetBackup version via administration console or registry: reg query "HKLM\SOFTWARE\Veritas\NetBackup\CurrentVersion" /v DisplayVersionVerify Fix Applied:
Verify service path now has quotes: sc qc "NetBackup INET Daemon" should show "C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe" in quotes📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected service restarts (Event ID 7036)
- Security logs showing file creation in NetBackup directories by non-administrative users
Network Indicators:
- Unusual outbound connections from NetBackup server following service restart
SIEM Query:
EventID=7036 AND ServiceName="NetBackup INET Daemon" | join (EventID=4688 AND NewProcessName contains "bpinetd")