CVE-2024-33673
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code through DLL hijacking in Veritas Backup Exec. Attackers can place malicious DLLs in locations searched by the application, leading to privilege escalation or system compromise. All Windows systems running vulnerable versions of Veritas Backup Exec are affected.
💻 Affected Systems
- Veritas Backup Exec
📦 What is this software?
Backup Exec by Veritas
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing data theft, ransomware deployment, or complete system control.
Likely Case
Local privilege escalation leading to unauthorized access to backup data, configuration manipulation, or lateral movement within the network.
If Mitigated
Limited impact with proper file permissions and application hardening, potentially only allowing low-privilege code execution.
🎯 Exploit Status
Requires local access or ability to write files to target system. DLL hijacking is a well-known technique with established exploitation methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.2 HotFix 917391 or later
Vendor Advisory: https://www.veritas.com/support/en_US/security/VTS24-002
Restart Required: Yes
Instructions:
1. Download HotFix 917391 from Veritas support portal. 2. Stop all Backup Exec services. 3. Apply the hotfix following vendor instructions. 4. Restart the system. 5. Verify successful installation.
🔧 Temporary Workarounds
Restrict DLL Search Path Permissions
windowsSet strict file permissions on directories in the DLL search path to prevent unauthorized DLL placement.
icacls "C:\Windows\System32" /deny "Users":(RX)
icacls "C:\Program Files\Veritas\Backup Exec" /deny "Users":(RX)
Enable Safe DLL Search Mode
windowsConfigure Windows to search system directories first before current directory.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement strict file system permissions on Backup Exec installation directories and Windows system paths
- Use application whitelisting to prevent execution of unauthorized DLLs
🔍 How to Verify
Check if Vulnerable:
Check Backup Exec version in Help > About. If version is earlier than 22.2 HotFix 917391, system is vulnerable.Check Version:
wmic product where "name like 'Veritas Backup Exec%'" get versionVerify Fix Applied:
Verify version shows 22.2 HotFix 917391 or later in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads from non-standard locations
- Process creation events from Backup Exec loading unusual DLLs
- File creation events in Backup Exec directories
Network Indicators:
- Unusual outbound connections from Backup Exec process
- DNS queries for suspicious domains from backup server
SIEM Query:
EventID=4688 AND ProcessName="bedbg.exe" AND CommandLine CONTAINS "dll" AND NOT (ImagePath CONTAINS "System32" OR ImagePath CONTAINS "Program Files\Veritas")