CVE-2024-28222
📋 TL;DR
This critical vulnerability allows unauthenticated attackers to upload and execute arbitrary files on Veritas NetBackup systems by exploiting improper path validation in the BPCD process. It affects all unpatched NetBackup and NetBackup Appliance installations, potentially giving attackers full control over affected systems.
💻 Affected Systems
- Veritas NetBackup
- Veritas NetBackup Appliance
📦 What is this software?
Netbackup by Veritas
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.
Likely Case
Remote code execution leading to data exfiltration, credential harvesting, and deployment of additional malware payloads.
If Mitigated
Limited impact if network segmentation and strict access controls prevent external access to vulnerable services.
🎯 Exploit Status
The vulnerability requires no authentication and has straightforward exploitation path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NetBackup 8.1.2, NetBackup Appliance 3.1.2
Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS23-010
Restart Required: Yes
Instructions:
1. Download patches from Veritas support portal. 2. Apply patches following Veritas documentation. 3. Restart affected services. 4. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict network access to BPCD service (port 13724 by default) to trusted hosts only.
iptables -A INPUT -p tcp --dport 13724 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 13724 -j DROP
Service Restriction
windowsConfigure firewall rules to block external access to BPCD service.
netsh advfirewall firewall add rule name="Block BPCD" dir=in action=block protocol=TCP localport=13724
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NetBackup systems from untrusted networks
- Deploy host-based intrusion detection systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check NetBackup version using 'bpversion' command and compare against vulnerable versions.Check Version:
bpversionVerify Fix Applied:
Verify version is 8.1.2 or higher for NetBackup, or 3.1.2 or higher for Appliance using 'bpversion'.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to BPCD process
- Unauthorized process execution from BPCD service
- Failed authentication attempts to BPCD
Network Indicators:
- Unusual connections to port 13724 from untrusted sources
- Large file transfers to BPCD service
SIEM Query:
source="netbackup" AND (event="file_upload" OR event="process_execution") AND dest_port=13724