CVE-2022-26778: 
Veritas System Recovery vulnerability analysis and mitigation

Veritas System Recovery (VSR) versions 18 and 21 contain a sensitive information disclosure vulnerability (CVE-2022-26778) where network destination passwords are stored in the Windows registry during backup configuration. The vulnerability was discovered and disclosed in March 2022 (NVD).

The vulnerability has a CVSS v3.1 Base Score of 5.3 (Medium) with the following vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The technical issue involves the storage of network destination passwords in the Windows registry during the backup configuration process, which could expose sensitive authentication credentials (Veritas).

This vulnerability could allow Windows users with sufficient privileges to access network file systems they were not authorized to access, potentially leading to unauthorized access to network resources (Veritas).

Veritas has released patches to address this vulnerability. For VSR 18, users should update to VSR 18 SP4 and install the updated VProSvc.exe (Version: 18.0.4.57090). For VSR 21, users should update to VSR 21 SP3 and install the updated VProSvc.exe (Version: 21.0.3.62140). The updated files should be replaced on both servers and clients (Veritas).