CVE-2024-28222 Overview
CVE-2024-28222 is a critical path traversal vulnerability affecting Veritas NetBackup and NetBackup Appliance. The BPCD (Backup Policy and Configuration Daemon) process inadequately validates file paths, allowing an unauthenticated attacker to upload and execute a custom file on the target system. This vulnerability enables remote code execution without requiring any authentication, making it particularly dangerous for enterprise backup environments.
Critical Impact
Unauthenticated attackers can exploit the BPCD process to upload and execute arbitrary files, potentially leading to complete system compromise of backup infrastructure.
Affected Products
- Veritas NetBackup versions before 8.1.2
- Veritas NetBackup Appliance versions before 3.1.2
Discovery Timeline
- 2024-03-07 - CVE-2024-28222 published to NVD
- 2025-01-21 - Last updated in NVD database
Technical Details for CVE-2024-28222
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). The BPCD service, which handles backup policy and configuration operations in Veritas NetBackup, fails to properly sanitize and validate file path inputs provided by remote users.
When processing file upload requests, the BPCD process does not adequately verify that the destination path remains within intended directories. An attacker can craft malicious requests containing directory traversal sequences (such as ../) to write files to arbitrary locations on the file system. Combined with the ability to execute the uploaded file, this creates a direct path to remote code execution.
The network-accessible nature of the BPCD service, combined with no authentication requirement, means that any attacker with network access to the vulnerable service can exploit this vulnerability. This is particularly concerning in enterprise environments where NetBackup servers often have elevated privileges and access to sensitive backup data across the organization.
Root Cause
The root cause lies in insufficient input validation within the BPCD process. The service accepts file path parameters from network requests without properly sanitizing them for path traversal sequences. This allows attackers to escape the intended directory structure and write files to arbitrary locations on the target system.
The lack of authentication on the vulnerable endpoint compounds the issue, as it removes any barrier between an attacker and the exploitable functionality.
Attack Vector
The attack is network-based and can be executed remotely without any authentication or user interaction. An attacker would:
- Identify a Veritas NetBackup server or appliance running a vulnerable version
- Craft a malicious request to the BPCD service containing path traversal sequences
- Upload a malicious executable or script to a location where it can be executed
- Trigger execution of the uploaded file to achieve remote code execution
The vulnerability allows attackers to bypass normal file upload restrictions and place malicious payloads in sensitive system directories.
Detection Methods for CVE-2024-28222
Indicators of Compromise
- Unexpected files appearing in system directories outside of normal NetBackup operational paths
- Unusual process activity spawned from BPCD or NetBackup-related services
- Network connections to the BPCD service from unexpected or external IP addresses
- Log entries showing file write operations with path traversal patterns (e.g., ../ sequences)
Detection Strategies
- Monitor BPCD service logs for suspicious file path patterns containing directory traversal sequences
- Implement network intrusion detection rules to identify malformed requests targeting the BPCD service
- Deploy file integrity monitoring on NetBackup servers to detect unauthorized file creation
- Analyze network traffic for unusual connections to NetBackup service ports from untrusted sources
Monitoring Recommendations
- Enable detailed logging on NetBackup servers and centralize logs for analysis
- Configure alerts for any file creation events in system directories by NetBackup processes
- Monitor for execution of unexpected binaries or scripts on NetBackup infrastructure
- Implement baseline monitoring for BPCD service behavior to detect anomalies
How to Mitigate CVE-2024-28222
Immediate Actions Required
- Upgrade Veritas NetBackup to version 8.1.2 or later immediately
- Upgrade Veritas NetBackup Appliance to version 3.1.2 or later
- Restrict network access to NetBackup servers using firewall rules to limit exposure
- Audit NetBackup systems for signs of compromise before and after patching
Patch Information
Veritas has released security patches addressing this vulnerability. Organizations should update to NetBackup version 8.1.2 or later, and NetBackup Appliance version 3.1.2 or later. The official security advisory is available at the Veritas Security Advisory VTS23-010.
Workarounds
- Implement strict network segmentation to isolate NetBackup infrastructure from untrusted networks
- Configure firewall rules to restrict access to BPCD service ports to only authorized management systems
- Deploy network-level access controls or VPN requirements for administrative access to backup infrastructure
- Consider temporarily disabling external network access to affected services until patches can be applied
# Example firewall configuration to restrict BPCD access
# Restrict NetBackup BPCD service (default port 13724) to trusted management network only
iptables -A INPUT -p tcp --dport 13724 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 13724 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
