Description

Security research has disclosed that there is a vulnerability that would allow a low privileged user on a Windows system to load malicious OpenSSL code.

Action Required

Please refer to the Master Advisory for more details on the security advisory and recommended action.
For further information see Backup Exec Security Advisory

Affected Versions:

Backup Exec versions 21.x, 20.x and 16.x. Earlier versions that are no longer supported may be affected as well.

Remediation

If you are on BE 21.x:

Install Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217)

If you are on BE 20.x:

Install Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734)

Prerequisite is Backup Exec 20.6 Hotfix 525537

These hot fixes will be available in Veritas Update for automated download and installation.

If you are on Backup Exec version 16.x or older, Veritas recommends that you upgrade to Backup Exec 21.1.

Mitigation

If not applying a recommended remediation listed above, use an administrator account to create the directory ‘\usr\local\ssl’ under root of all drives and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine.