CVE-2021-27877

What is Backup Exec Agent SHA Authentication?

Veritas Backup Exec Agent uses a SHA (Secure Hash Algorithm) based authentication scheme to verify that connecting clients are authorized Backup Exec servers before granting access to the agent's data management interface on TCP port 10000. This authentication mechanism controls access to the agent's full functionality — including file backup/restore operations, configuration queries, and command execution. When this authentication is bypassable, any network-accessible attacker can interact with the Backup Exec Agent as if they were an authorized server — gaining access to the data of every machine protected by that agent without needing any credentials. Because backup agents by design have read access to every file on the protected host, authentication bypass on backup infrastructure is a severe exposure.

Overview

CVE-2021-27877 is an improper authentication vulnerability in the Veritas Backup Exec Agent that allows unauthenticated network attackers to bypass SHA authentication and gain unauthorized access to the agent's data management interface. The high confidentiality impact (C:H) reflects that an unauthenticated attacker can read all data accessible to the backup agent — including any files on the protected host. CVE-2021-27877 is the authentication bypass component of the three-CVE VTS21-001 cluster: this vulnerability provides unauthenticated agent access, CVE-2021-27876 enables file access operations, and CVE-2021-27878 enables arbitrary command execution. Veritas patched all three in March 2021; CISA added them to the KEV catalog in April 2023, confirming ransomware operator exploitation of unpatched deployments.

Affected Versions

Technical Details

• Root cause: Improper authentication (CWE-287) in the SHA-based challenge-response authentication used by the Backup Exec Agent data management protocol — the authentication mechanism has a flaw that allows a remote attacker to pass the challenge without valid credentials, gaining access to the agent interface without an authorized Backup Exec server account
• Unauthenticated access profile: PR:N/UI:N/AC:L — any attacker with network access to the agent's TCP port 10000 can exploit this without credentials, user interaction, or complex preconditions
• High confidentiality impact: C:H — once authentication is bypassed, the agent's data interface exposes all files on the protected host that the backup agent account can read (typically all files on the system); attackers can exfiltrate complete host data through the backup protocol
• Low integrity impact C:H/I:L: The authentication bypass itself grants read access (file queries, data retrieval); full file writes and command execution require combining with CVE-2021-27876 and CVE-2021-27878 respectively
• VTS21-001 chain entry point: CVE-2021-27877 is the first step in the full exploitation chain — auth bypass → (CVE-2021-27876) file access and modification → (CVE-2021-27878) arbitrary command execution on the agent host → full host compromise

Discovery

Reported to Veritas and patched in security advisory VTS21-001 published March 1, 2021. The CISA KEV addition in April 2023 followed confirmed use in ransomware attacks targeting enterprise backup infrastructure, where attackers specifically leveraged the authentication bypass to enumerate and then corrupt backup data before deploying ransomware on primary systems.

Exploitation Context

The authentication bypass in CVE-2021-27877 is the gateway to full Backup Exec Agent compromise. Ransomware operators targeting enterprise environments specifically seek backup infrastructure because destroying backup capability maximizes ransom leverage. With CVE-2021-27877, an attacker who scans for Backup Exec Agent ports (TCP 10000) and finds unpatched agents can: (1) bypass authentication and read all backup data (intelligence gathering), (2) use CVE-2021-27876 to access specific files for exfiltration, (3) use CVE-2021-27878 to execute commands on every host with a Backup Exec agent. The two-year gap between patch and KEV addition reflects sustained exploitation of unpatched enterprise Backup Exec deployments by ransomware affiliates.

Remediation

1. Apply Veritas Backup Exec VTS21-001 patches — available for Backup Exec 16.x, 20.x, and 21.x; check the Veritas support portal for specific patch packages
2. Restrict network access to Backup Exec Agent port (TCP 10000): firewall rules should permit only the authorized Backup Exec server IP address; block all other sources from reaching agent ports
3. Apply all three VTS21-001 CVEs together — CVE-2021-27876 (file access) and CVE-2021-27878 (command execution) must be patched alongside this authentication bypass
4. Monitor for unexpected connection attempts to TCP port 10000 from unauthorized sources
5. Maintain at least one immutable or air-gapped backup copy that cannot be accessed via network-connected Backup Exec agents — preserving recovery capability if the backup infrastructure is compromised