CVE-2022-46414: Veritas NetBackup Flex Scale Unauthenticated RCE Vulnerability

Veritas informed customers last week that it has patched 5 vulnerabilities impacting its NetBackup Flex Scale and Access Appliance products, including a critical-severity flaw.

The most severe of the security defects is CVE-2022-46414 (CVSS score of 9.8), an issue in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100 that could be exploited by an unauthenticated attacker to remotely execute arbitrary commands.

NetBackup is powered by Cloud Scale Technology—Cloud Scale Technology is a new generation of proven NetBackup architecture, modernized to operate at a web-scale and provide a foundation for our vision to deliver autonomous data management. NetBackup is the only solution to offer the fully automated movement of cloud-based workloads to lower-cost tiers of storage, either on-premises or in the cloud. According to the website description, “87% of the Fortune Global 500 choose NetBackup.”

Successful exploitation of CVE-2022-46414 could allow the attacker to gain remote command execution on affected systems.

A vulnerability in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100 could allow an authorized attacker to remotely execute arbitrary commands via the management portal. The bug is tracked as CVE-2022-46413 (CVSS score of 8.8).

Tracked as CVE-2022-46411 (CVSS score of 8.8), the most severe of this also impacts Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100 and could be exploited to escalate privileges.

Two other issues, CVE-2022-46412 and CVE-2022-46410 (CVSS score of 8.8), impact the Veritas NetBackup Flex Scale through 3.0 and could lead to escape a restricted shell and execute privileged commands or escalate privileges to root.

Users are advised to download and install the available patches as soon as possible.