SYMSA1079
VERITAS NetBackup 5.x: Buffer Overflow in Shared Library used by Volume Manager Daemon
Last Updated November 08, 2005
Initial Publication Date November 08, 2005
- Status: Closed
- Severity: High
- CVSS Base Score: 10.0
A buffer overflow vulnerability exists in a shared library used by the VERITAS NetBackup volume manager daemon (vmd) running on VERITAS NetBackup 5.x servers and clients. Successful exploitation of this overflow condition could possibly allow a malicious attacker to create a denial of service disrupting backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system.
Severity
HIGH
|
Remote Access |
Yes |
|
Local Access |
No |
|
Authentication Required |
No |
|
Exploit publicly available |
Yes |
|
Product |
Version |
Build |
Platform |
Solution |
|
NetBackup Enterprise Server Server/Client |
5.0 |
All |
All |
|
|
NetBackup Enterprise Server Server/Client |
5.1 |
All |
All |
Not Affected Product(s)
|
Product |
Version |
Build |
Platform |
|
NetBackup DataCenter and BusinesServer |
4.5MP, FP |
All |
All |
|
NetBackup Enterprise Server Server/Client |
6.0 |
All |
All |
Details
iDefense Labs notified Symantec of a buffer overflow vulnerability in VERITAS NetBackup that could potentially allow a remote attacker to cause a denial of service or to execute arbitrary code. The vulnerability was initially found in the NetBackup vmd but further analysis revealed the problem occurs in a shared library used by vmd possibly impacting other daemons using that shared library also. The buffer overflow condition is due to improper bounds checking of user input. If a remote attacker were able to gain access to the affected library through one of the daemons and successfully exploit this vulnerability, they could potentially disrupt backup capabilities or possibly execute arbitrary code with elevated privileges on the targeted system.
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CAN-2005-3116 to this issue.
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec Response
Symantec Engineers have verified this issue ONLY impacts NetBackup 5.x. Symantec has made security updates available for the supported VERITAS NetBackup 5.x products. Symantec strongly recommends all customers immediately apply the latest cumulative updates for their supported product versions to protect against these types of threats.
Symantec knows of no adverse customer impact from this issue.
The patches listed above for NetBackup 5.0 and 5.1 are available from the following location:
http://support.veritas.com/docs/279553
NOTE: In a recommended installation, VERITAS NetBackup should be restricted to trusted access only. The VERITAS NetBackup Server or clients should never be visible external to the network which greatly reduces opportunities for unauthorized remote access.
Symantec Security Response will release IPS/IDS signatures to detect and prevent attempts to exploit this issue.
Symantec ManHunt 3.0 signatures are available for update from the Symantec Security Response Update Center at:
http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_MH.html
Symantec Network Security Appliance 7100 signatures are available for update from the Symantec Security Response Update Center at:
http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SNS.html
Symantec Gateway Security 3.0 signatures are available for update from the Symantec Security Response Update Center at:
http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SGS.html
Symantec Client Security 2.0 and 3.0 signatures are available for update via LiveUpdate and from the Security Response Update Center at:
http://www.symantec.com/avcenter/security/Content/Product/Product_SCS.html
Customers using Symantec Client Security 2.0 and 3.0 should receive frequent signature updates if they run LiveUpdate regularly. If not, Symantec recommends customers manually run Symantec LiveUpdate to ensure they have the most current protection available.
As part of normal best practices, Symantec strongly recommends:
- Restricting access to administration or management systems to privileged users.
- Restricting remote access, if required, to trusted/authorized systems only.
- Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
- Keeping all operating systems and applications updated with the latest vendor patches.
- Following a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploying network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
Symantec would like to thank iDefense Labs for reporting this issue and for providing coordination while Symantec resolved it
Revision History
1/16/2006 - Exploit code for this issue is publicly available
SYM05-024
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Subscribed to the Article
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.
Start Over
This will clear the history and restart the chat.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)