The version of Veritas System Recovery installed on the remote Windows host is 23.2 or prior. It is, therefore, affected by an arbitrary file creation vulnerability. A local attacker could create a file in any arbitrary location within the filesystem. This includes protected directories, such as C:\Windows, C:\Windows\System32 and C:\Program Files. In addition, a local attacker could leverage this vulnerability to cause denial of service or to tamper with important services.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(198161);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/31");
script_cve_id("CVE-2024-35204");
script_xref(name:"IAVA", value:"2024-A-0316");
script_name(english:"Veritas System Recovery Arbitrary File Creation (VTS24-005)");
script_set_attribute(attribute:"synopsis", value:
"A back-up management application installed on the remote Windows host is affected by an abritrary file creation vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Veritas System Recovery installed on the remote Windows host is 23.2 or prior. It is, therefore,
affected by an arbitrary file creation vulnerability. A local attacker could create a file in any arbitrary location
within the filesystem. This includes protected directories, such as C:\Windows, C:\Windows\System32 and C:\Program
Files. In addition, a local attacker could leverage this vulnerability to cause denial of service or to tamper with
important services.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version");
script_set_attribute(attribute:"see_also", value:"https://www.veritas.com/support/en_US/security/VTS24-005");
script_set_attribute(attribute:"see_also", value:"https://www.veritas.com/support/en_US/article.100065391");
# https://www.veritas.com/content/support/en_US/downloads/update.UPD860045
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?25994526");
script_set_attribute(attribute:"solution", value:
"Upgrade to a version after 23.2 or apply Hotfix 860045 per vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-35204");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/07");
script_set_attribute(attribute:"patch_publication_date", value:"2024/04/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/30");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:veritas:system_recovery");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("veritas_system_recovery_win_installed.nbin");
script_require_keys("installed_sw/Veritas System Recovery", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
var app_info = vcf::get_app_info(app:'Veritas System Recovery', win_local:TRUE);
# Can't detect hotfix
if (report_paranoia < 2)
audit(AUDIT_PARANOID);
var constraints = [
{'max_version': '23.2.999999', 'fixed_display': 'Apply Hotfix 860045 per vendor advisory'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
veritas | system_recovery | cpe:/a:veritas:system_recovery |