CVE-2024-33671: 
Veritas Backup Exec Agent vulnerability analysis and mitigation

An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. The Backup Exec Deduplication Multi-threaded Streaming Agent can be leveraged to perform arbitrary file deletion on protected files. The vulnerability was disclosed on April 25, 2024, and affects multiple versions of Veritas Backup Exec including versions 21.0 through 22.2 (Veritas Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.7 (HIGH) with the vector string AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. The vulnerability is related to the Backup Exec Deduplication Multi-threaded Streaming Agent's handling of file operations, which can be exploited to delete protected files. The issue has been classified under CWE-73 (External Control of File Name or Path) (NVD).

The vulnerability allows attackers to perform arbitrary file deletion on protected files, potentially leading to data loss and system integrity issues. The high CVSS score indicates significant potential impact on the integrity and availability of the system, though confidentiality is not directly affected (Veritas Advisory).

Veritas recommends either upgrading to Version 23.0 (which requires no additional hotfix) or upgrading to version 22.2 and applying HotFix 917391. As a temporary mitigation, administrators can restrict access to the boost_interprocess directory (C:\ProgramData\boost_interprocess) to local administrator users only (Veritas Advisory).

The vulnerability was discovered and reported by the Lockheed Martin Red Team, demonstrating active security research in enterprise backup solutions (Veritas Advisory).