Couple of days ago (thanks Melvin for reminding us about this) Symantec, together with ZDI, published an advisory about 3 new vulnerabilities in Veritas NetBackup server application. The vulnerability allows an attacker to remotely execute arbitrary code on a vulnerable installation.
In their advisory Symantec states that if Veritas NetBackup is properly configured that authentication will be required in order to exploit these vulnerabilities. They also state that connections should be accepted only from trusted hosts ? that is if you can trust your internal network. We also don't doubt that there are a lot of servers that do not require authentication of clients which makes them even more exposed to this.
The following versions of Veritas NetBackup are vulnerable:
Veritas NetBackup 6.0 < MP4
Veritas NetBackup 5.1 < MP6
Veritas NetBackup 5.0 < MP7
If you are affected, we would recommend that you visit the following web page: http://securityresponse.symantec.com/avcenter/security/Content/2006.12.13a.html, where you can find the links to maintenance packs that patch this.
Looking at the original advisories by ZDI, it looks like they reported these vulnerabilities back in August to Symantec. This timing of releasing the patch for a remotely exploitable vulnerability just a week before the Christmas break is a bit weird ? this should have been done much earlier to give people the possibility of testing this business critical feature in everyone's organization. The last thing people want is to find out that their backup was not successful (or even worse - it was successful but the server has been compromised) when they return back to work after a nice Xmas break.
The only good thing is that, at this point in time, there seem to be no exploit for these vulnerabilities in the wild.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019
Dec 21st 2006
1 decade ago