VERITAS NetBackup 5.x: Buffer Overflow in Shared Library used by Volume Manager Daemon

SYMSA1079
Last Updated November 08, 2005
Initial Publication Date November 08, 2005
Copy Article Title/URL
Feedback
Subscribe
  • Status: Closed
  • Severity: High
  • CVSS Base Score: 10.0

A buffer overflow vulnerability exists in a shared library used by the VERITAS NetBackup volume manager daemon (vmd) running on VERITAS NetBackup 5.x servers and clients. Successful exploitation of this overflow condition could possibly allow a malicious attacker to create a denial of service disrupting backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system.

Severity
HIGH

Remote Access

Yes

Local Access

No

Authentication Required

No

Exploit publicly available

Yes

 

Product

Version

Build

Platform

Solution

NetBackup Enterprise Server Server/Client

5.0

All

All

NB_50_5S2_M

NetBackup Enterprise Server Server/Client

5.1

All

All

NB_51_3AS2_M

 

Not Affected Product(s)

Product

Version

Build

Platform

NetBackup DataCenter and BusinesServer

4.5MP, FP

All

All

NetBackup Enterprise Server Server/Client

6.0

All

All

 

Details
iDefense Labs notified Symantec of a buffer overflow vulnerability in VERITAS NetBackup that could potentially allow a remote attacker to cause a denial of service or to execute arbitrary code. The vulnerability was initially found in the NetBackup vmd but further analysis revealed the problem occurs in a shared library used by vmd possibly impacting other daemons using that shared library also. The buffer overflow condition is due to improper bounds checking of user input. If a remote attacker were able to gain access to the affected library through one of the daemons and successfully exploit this vulnerability, they could potentially disrupt backup capabilities or possibly execute arbitrary code with elevated privileges on the targeted system.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CAN-2005-3116 to this issue.
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Symantec Response
Symantec Engineers have verified this issue ONLY impacts NetBackup 5.x. Symantec has made security updates available for the supported VERITAS NetBackup 5.x products. Symantec strongly recommends all customers immediately apply the latest cumulative updates for their supported product versions to protect against these types of threats.

Symantec knows of no adverse customer impact from this issue.

The patches listed above for NetBackup 5.0 and 5.1 are available from the following location:
http://support.veritas.com/docs/279553

NOTE: In a recommended installation, VERITAS NetBackup should be restricted to trusted access only. The VERITAS NetBackup Server or clients should never be visible external to the network which greatly reduces opportunities for unauthorized remote access.

Symantec Security Response will release IPS/IDS signatures to detect and prevent attempts to exploit this issue.

Symantec ManHunt 3.0 signatures are available for update from the Symantec Security Response Update Center at:
http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_MH.html

Symantec Network Security Appliance 7100 signatures are available for update from the Symantec Security Response Update Center at:
http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SNS.html

Symantec Gateway Security 3.0 signatures are available for update from the Symantec Security Response Update Center at:
http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SGS.html

Symantec Client Security 2.0 and 3.0 signatures are available for update via LiveUpdate and from the Security Response Update Center at:
http://www.symantec.com/avcenter/security/Content/Product/Product_SCS.html

Customers using Symantec Client Security 2.0 and 3.0 should receive frequent signature updates if they run LiveUpdate regularly. If not, Symantec recommends customers manually run Symantec LiveUpdate to ensure they have the most current protection available.

As part of normal best practices, Symantec strongly recommends:

  • Restricting access to administration or management systems to privileged users.
  • Restricting remote access, if required, to trusted/authorized systems only.
  • Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
  • Keeping all operating systems and applications updated with the latest vendor patches.
  • Following a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploying network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Symantec would like to thank iDefense Labs for reporting this issue and for providing coordination while Symantec resolved it

Revision History
1/16/2006 - Exploit code for this issue is publicly available

Legacy ID: SYM05-024

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.