CVE-2023-28758
📋 TL;DR
This vulnerability in Veritas NetBackup's BPCD component allows unprivileged users to specify arbitrary log file paths when executing commands, enabling them to overwrite existing NetBackup log files. This affects all NetBackup installations before version 8.3.0.2. The issue could lead to log manipulation, denial of service, or potential privilege escalation.
💻 Affected Systems
- Veritas NetBackup
📦 What is this software?
Netbackup by Veritas
⚠️ Risk & Real-World Impact
Worst Case
An attacker could overwrite critical system logs to hide malicious activity, manipulate audit trails, or potentially escalate privileges by overwriting configuration files if path traversal is possible.
Likely Case
Attackers overwrite NetBackup logs to hide backup failures, manipulate audit trails, or cause denial of service by corrupting log files needed for backup operations.
If Mitigated
With proper access controls and monitoring, impact is limited to log file manipulation that can be detected through secondary logging mechanisms.
🎯 Exploit Status
Exploitation requires user-level access to NetBackup commands. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.3.0.2 or later
Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS23-003
Restart Required: Yes
Instructions:
1. Download NetBackup 8.3.0.2 or later from Veritas support portal. 2. Apply the patch following Veritas upgrade procedures. 3. Restart NetBackup services. 4. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Restrict BPCD access
linuxLimit which users can execute BPCD commands through file permissions and access controls.
chmod 750 /usr/openv/netbackup/bin/bpcd
chown root:root /usr/openv/netbackup/bin/bpcd
Implement log file monitoring
allMonitor NetBackup log directories for unauthorized write attempts or unexpected file modifications.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can execute NetBackup commands
- Monitor NetBackup log directories for unauthorized write attempts and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check NetBackup version: /usr/openv/netbackup/bin/version or via NetBackup Administration Console. If version is below 8.3.0.2, system is vulnerable.Check Version:
/usr/openv/netbackup/bin/versionVerify Fix Applied:
Verify version is 8.3.0.2 or higher using the version command. Test that unprivileged users cannot specify arbitrary log file paths in BPCD commands.📡 Detection & Monitoring
Log Indicators:
- Unexpected log file modifications in /usr/openv/netbackup/logs/
- BPCD commands with unusual log file parameters
- Failed attempts to write to protected log files
Network Indicators:
- Unusual BPCD command patterns from non-admin users
- Multiple log file write attempts from single user
SIEM Query:
source="netbackup_logs" AND (event_type="file_modification" AND file_path="/usr/openv/netbackup/logs/*") AND user!="root"