CVE-2023-28759 Overview
CVE-2023-28759 is a DLL hijacking vulnerability discovered in Veritas NetBackup before version 10.0 on Windows systems. The vulnerability exists in the way the NetBackup client validates the path to a DLL prior to loading, which may allow a lower-privileged user to elevate privileges and compromise the system. This type of vulnerability is classified as CWE-427 (Uncontrolled Search Path Element).
Critical Impact
A local attacker with low-level privileges can exploit improper DLL path validation to achieve privilege escalation, potentially gaining complete control over affected Windows systems running Veritas NetBackup.
Affected Products
- Veritas NetBackup versions prior to 10.0 on Windows
Discovery Timeline
- 2023-03-23 - CVE-2023-28759 published to NVD
- 2025-02-25 - Last updated in NVD database
Technical Details for CVE-2023-28759
Vulnerability Analysis
This vulnerability represents a classic DLL hijacking attack vector that targets the Windows DLL loading mechanism used by Veritas NetBackup. When the NetBackup client application loads dynamic-link libraries, it fails to properly validate or secure the search path from which DLLs are loaded. This oversight allows an attacker with local access to place a malicious DLL in a location that will be searched before legitimate system directories.
The vulnerability is particularly concerning because it affects enterprise backup infrastructure. Backup systems typically run with elevated privileges to access protected files and system resources, making them attractive targets for privilege escalation attacks. An attacker who successfully exploits this vulnerability can execute arbitrary code in the security context of the NetBackup service.
Root Cause
The root cause of CVE-2023-28759 is the improper validation of DLL paths before loading (CWE-427: Uncontrolled Search Path Element). The NetBackup client does not adequately verify that DLLs are loaded from trusted, secure locations. This allows an attacker to exploit the Windows DLL search order by placing a malicious DLL in a directory that appears earlier in the search path than the legitimate system directories.
When an application loads a DLL without specifying an absolute path, Windows searches for the DLL in a specific order, typically starting with the application's directory, then the current directory, followed by system directories. If an attacker can write to any of these earlier search locations, they can inject malicious code that executes with the privileges of the application.
Attack Vector
The attack requires local access to the target system with at least low-level user privileges. An attacker would need to:
- Identify the DLLs loaded by the NetBackup client without full path specification
- Craft a malicious DLL with the same name containing payload code
- Place the malicious DLL in a directory that appears earlier in the Windows DLL search order
- Wait for or trigger the NetBackup client to load the malicious DLL
- Achieve code execution with elevated privileges
The attack exploits the local system environment and does not require user interaction. Once the malicious DLL is placed in the appropriate location, it will be loaded automatically when the vulnerable NetBackup component executes, granting the attacker elevated privileges on the compromised system.
Detection Methods for CVE-2023-28759
Indicators of Compromise
- Unexpected DLL files appearing in NetBackup installation directories or Windows system paths
- DLL files with recent modification timestamps in directories accessible by low-privileged users
- Process execution anomalies where NetBackup processes spawn unexpected child processes
- Suspicious file write operations to directories in the DLL search path prior to NetBackup service startup
Detection Strategies
- Monitor file system activity for DLL creation or modification in NetBackup installation directories and common DLL hijacking locations
- Implement application whitelisting to prevent unauthorized DLLs from being loaded by NetBackup components
- Use endpoint detection tools to identify processes loading DLLs from unusual or untrusted paths
- Enable Windows Security Event logging (Event ID 7045 for service installations, Event ID 4688 for process creation) to track suspicious activity
Monitoring Recommendations
- Configure SentinelOne to monitor for DLL sideloading and hijacking behaviors associated with backup software
- Enable detailed process tracking on systems running Veritas NetBackup to detect privilege escalation attempts
- Implement file integrity monitoring on critical NetBackup directories and Windows system paths
- Review security logs regularly for signs of unauthorized privilege escalation activity
How to Mitigate CVE-2023-28759
Immediate Actions Required
- Upgrade Veritas NetBackup to version 10.0 or later to remediate this vulnerability
- Review and restrict file system permissions on directories in the DLL search path
- Audit existing systems for any signs of compromise or unauthorized DLL files
- Implement application control policies to prevent unauthorized code execution
Patch Information
Veritas has addressed this vulnerability in NetBackup version 10.0 and later. Organizations should upgrade to the latest supported version of NetBackup to mitigate this vulnerability. For detailed patch information and upgrade guidance, refer to the Veritas Security Advisory VTS23-006.
Workarounds
- Restrict write access to directories in the DLL search path to administrators only
- Implement Windows Group Policy settings to enforce secure DLL search mode
- Use application whitelisting solutions to prevent unauthorized DLL loading
- Monitor and alert on file system changes in critical application directories until patching is complete
# Example: Verify NetBackup version on Windows
"C:\Program Files\Veritas\NetBackup\bin\admincmd\bpgetconfig" -L
# Example: Set SafeDllSearchMode via registry (requires administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
