An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
Published 2021-03-01 22:15:14
Updated 2022-09-27 20:15:04
Source MITRE
View at NVD,   CVE.org
Vulnerability category: BypassGain privilege

Products affected by CVE-2021-27877

CVE-2021-27877 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Veritas Backup Exec Agent Improper Authentication Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.
Notes:
https://www.veritas.com/support/en_US/security/VTS21-001; https://nvd.nist.gov/vuln/detail/CVE-2021-27877
Added on 2023-04-07 Action due date 2023-04-28

Exploit prediction scoring system (EPSS) score for CVE-2021-27877

76.21%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2021-27877

  • Veritas Backup Exec Agent Remote Code Execution
    Disclosure Date: 2021-03-01
    First seen: 2022-12-23
    exploit/multi/veritas/beagent_sha_auth_rce
    Authors: - Alexander Korotin <0xc0rs@gmail.com>

CVSS scores for CVE-2021-27877

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST
8.2
HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
3.9
4.2
MITRE
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2021-27877

  • When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-27877

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!