Login Sign Up

CVE-2022-36992

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows an authenticated attacker on a NetBackup Client to remotely execute arbitrary commands on a NetBackup Primary server under specific notify conditions. It affects Veritas NetBackup versions 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1.

💻 Affected Systems

Products:
  • Veritas NetBackup
  • NetBackup Appliance
  • NetBackup Flex Appliance
  • NetBackup CloudPoint
Versions: 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1
Operating Systems: All supported NetBackup platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to NetBackup Client and specific notify conditions to be triggered.

📦 What is this software?

Flex Appliance by Veritas

View all CVEs affecting Flex Appliance →

Flex Appliance by Veritas

View all CVEs affecting Flex Appliance →

Flex Appliance by Veritas

View all CVEs affecting Flex Appliance →

Flex Appliance by Veritas

View all CVEs affecting Flex Appliance →

Flex Appliance by Veritas

View all CVEs affecting Flex Appliance →

Flex Appliance by Veritas

View all CVEs affecting Flex Appliance →

Flex Scale by Veritas

View all CVEs affecting Flex Scale →

Flex Scale by Veritas

View all CVEs affecting Flex Scale →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup by Veritas

View all CVEs affecting Netbackup →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

Netbackup Appliance by Veritas

View all CVEs affecting Netbackup Appliance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the NetBackup Primary server leading to data theft, ransomware deployment, or destruction of backup infrastructure.

🟠

Likely Case

Privilege escalation and lateral movement within the backup environment, potentially compromising sensitive backup data.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent attacker access to vulnerable components.

🌐 Internet-Facing: LOW (requires authenticated access to NetBackup Client, typically not internet-facing)
🏢 Internal Only: HIGH (internal attackers with client access can exploit to compromise primary servers)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access and specific conditions, but successful exploitation leads to high-impact RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches per vendor advisory: 8.1.2 UR 12, 8.3.0.2 UR 10, 9.0.0.1 UR 8, 9.1.0.1 UR 4

Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS22-004

Restart Required: Yes

Instructions:

1. Download appropriate patch from Veritas support portal. 2. Apply patch to all affected NetBackup Primary servers. 3. Restart NetBackup services. 4. Verify patch application.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access between NetBackup Clients and Primary servers to only necessary ports and protocols.

Access Control Hardening

all

Implement strict authentication and authorization controls for NetBackup Client access.

🧯 If You Can't Patch

  • Implement strict network segmentation between NetBackup Clients and Primary servers
  • Monitor for unusual command execution patterns on NetBackup Primary servers

🔍 How to Verify

Check if Vulnerable:

Check NetBackup version using 'bpversion' command and compare against affected versions list.

Check Version:

bpversion

Verify Fix Applied:

Verify patch installation by checking version output and confirming it matches patched versions in vendor advisory.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in NetBackup logs
  • Unauthorized process execution on Primary server
  • Suspicious notify events

Network Indicators:

  • Unexpected command traffic from NetBackup Clients to Primary servers
  • Anomalous RPC or management protocol patterns

SIEM Query:

source="netbackup" AND (event_type="command_execution" OR process="unusual")

📊 Metadata

CVE ID: CVE-2022-36992
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: July 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON