CVE-2024-33672: 
Veritas NetBackup Client vulnerability analysis and mitigation

An issue was discovered in Veritas NetBackup before 10.4. The Multi-Threaded Agent used in NetBackup can be leveraged to perform arbitrary file deletion on protected files. This vulnerability, identified as CVE-2024-33672, affects NetBackup components running on Microsoft Windows Operating Systems, including Primary Server, Media Server, and Clients. The affected versions include 10.3.0.1, 10.3, 10.2.0.1, 10.2, 10.1.1, 10.1, 10.0.0.1, 10.0, 9.1.0.1, 9.1, and 8.3.0.2, with older unsupported versions potentially affected as well (Veritas Advisory).

The vulnerability is classified as CWE-427 (Uncontrolled Search Path Element) and has been assigned a CVSS v3.1 Base Score of 7.7 (HIGH) with the vector string AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. The issue specifically relates to the Multi-Threaded Agent component's handling of file operations, which can be exploited to delete protected files on the system (MITRE CVE, Veritas Advisory).

The vulnerability allows attackers to perform arbitrary file deletion on protected files within the system. This could potentially lead to system instability, data loss, or disruption of backup operations (Veritas Advisory).

Veritas recommends several mitigation options: upgrade to version 10.4, or upgrade to version 10.3.0.1, 10.2.0.1, or 10.1.1 and apply the corresponding EEB from Download Center. For versions 10.0.0.1 and 9.1.0.1, users should contact Veritas Support to request an EEB. As a temporary mitigation, access to the boostinterprocess directory (C:\ProgramData\boostinterprocess) should be restricted to local administrator users only (Veritas Advisory).

The vulnerability was discovered and reported by the Lockheed Martin Red Team, demonstrating active security research involvement from the defense industry sector (Veritas Advisory).