CVE-2022-36985
📋 TL;DR
CVE-2022-36985 is a local privilege escalation vulnerability in Veritas NetBackup that allows attackers with unprivileged local access to Windows NetBackup Primary servers to gain elevated privileges. This affects NetBackup 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1. Attackers could potentially compromise the entire backup infrastructure.
💻 Affected Systems
- Veritas NetBackup
- NetBackup Appliance
- NetBackup Flex Appliance
📦 What is this software?
Flex Scale by Veritas
Flex Scale by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
Netbackup by Veritas
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the NetBackup Primary server, allowing attackers to access, modify, or delete backup data, disrupt backup operations, and potentially pivot to other systems in the environment.
Likely Case
Local attackers gain administrative privileges on the NetBackup server, enabling them to access sensitive backup data and potentially compromise other systems through stored credentials.
If Mitigated
Limited impact if proper network segmentation, least privilege access controls, and monitoring are in place to detect and contain local privilege escalation attempts.
🎯 Exploit Status
Requires local access to the Windows server. The vulnerability is in how NetBackup handles certain operations, allowing privilege escalation through standard user interactions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the latest cumulative update for your NetBackup version as specified in VTS22-004
Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS22-004
Restart Required: Yes
Instructions:
1. Review VTS22-004 advisory for specific patch versions. 2. Download appropriate cumulative update from Veritas support portal. 3. Apply patch following Veritas documentation. 4. Restart NetBackup services and verify functionality.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local access to NetBackup Primary servers to only authorized administrators
Implement Least Privilege
windowsEnsure all user accounts on NetBackup servers have only necessary privileges
🧯 If You Can't Patch
- Implement strict access controls to limit who can log in locally to NetBackup Primary servers
- Enable detailed auditing and monitoring of local privilege escalation attempts and suspicious activities
🔍 How to Verify
Check if Vulnerable:
Check NetBackup version via the NetBackup Administration Console or by examining installed software in Windows Control PanelCheck Version:
Check NetBackup version in Administration Console or via 'wmic product get name,version' for installed Veritas productsVerify Fix Applied:
Verify patch installation through Windows Update history or installed programs list, then confirm NetBackup version is no longer in affected range📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing privilege escalation events
- NetBackup logs showing unusual administrative activities from non-admin accounts
- Event ID 4672 (Special privileges assigned to new logon) from unexpected users
Network Indicators:
- Unusual administrative connections to NetBackup servers
- Unexpected backup job modifications or deletions
SIEM Query:
source="windows_security" event_id=4672 AND user NOT IN (admin_users_list) AND process_name CONTAINS "netbackup"