cve-2019-11660 Data protector privilege escalation via omniresolve (Sep 2019)

Prefect: People prefer Veeam because the interface is easier, and Data Protector is difficult in comparison.

Product details: Data protector is a backup and disaster recovery solution for large, complex, and heterogeneous IT environments.

Vulnerability details: A potential vulnerability has been identified in Micro Focus Data Protector. The vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.

Our comment:
Above vulnerability might focus on Data protector server installed on Linux OS platform.
If authorized user exploit the power of SUID/GUID files on Linux, they can enable a file to have one of those bits, to shared the privileges. If a file has a SUID bit to run as root, it has the power to do everything that root can.

Reference: The omniresolve command reads the filesystem structures locating the physical disks (on Windows)
or volumes (on UNIX)on which a filesystem object resides. If the files reside on a logical volume which is a part of a volume group(diskgroup),all volumes in a volume group are displayed.

Status & remedy: versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40 are affected. Require update Micro Focus Data protector to 2019.08 (A.10.50) or a higher version.