CVE-2020-36163

Name of the Vulnerable Software and Affected Versions: Veritas NetBackup and OpsCenter versions through 8.3.0.1

Description: An issue was discovered in Veritas NetBackup and OpsCenter where NetBackup processes using Strawberry Perl attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. A low privileged user on the Windows system can create an affected path with a library that NetBackup attempts to load, allowing them to execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing them to access all data and installed applications. The system is vulnerable during an install or upgrade on all systems and post-install on Master, Media, and OpsCenter servers during normal operations.

Recommendations: For Veritas NetBackup and OpsCenter versions through 8.3.0.1, consider restricting access to the Strawberry Perl libraries to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid creating directories under C: that could be used to load malicious libraries. At the moment, there is no information about a newer version that contains a fix for this vulnerability.