Symantec Advisory # SYM05-018

What is Affected:
This issue is known to affect the application server for the NetBackup Java GUI.  The following versions of NetBackup are known to be vulnerable:

·
Note:  This includes all current maintenance and feature packs listed in the "Products Applied" section at the bottom of this TechNote.

TippingPoint, a division of 3Com, notified Symantec of a format string overflow vulnerability in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients.  This vulnerability could potentially allow remote attackers to execute arbitrary code on a targeted system with elevated privileges.  The vulnerability is in the COMMAND_LOGON_TO_MSERVER command. The vulnerable daemon listens on port 13722 on both NetBackup servers and clients.  If a remote attacker were able to access the service and successfully exploit this vulnerability, they could potentially execute arbitrary code with the privileges of the bpjava-msvc daemon, normally root or SYSTEM on the targeted system.  

Currently, Symantec is aware that this exploit has been published by both the FrSIRTcom and digitalmunition.com Web sites for OSX, Windows, and Linux.

How to Determine if Affected:
Aside from the exceptions listed above in the "What is Affected" section, all versions of NetBackup listed at the bottom of this document are known to be affected.  

Dependencies:
The special packs detailed in the "Formal Resolution" of this TechNote are non-cumulative and it is imperative to carefully read the Formal Resolution section to ensure all the machines are properly patched.  All master, media, and client servers must be at the most current NetBackup pack level (for the versions running in your environment) before applying the special pack, in order to be fully protected.

Formal Resolution:
Symantec Engineers have verified this issue and made security updates available for the supported NetBackup products.

Symantec strongly recommends all customers immediately apply the latest updates for their supported product versions to protect against these types of threats.  For this vulnerability, a change has been made to avert a potential vulnerability in a Java authentication service that runs on NetBackup servers and clients.  This change prohibits remote attackers from executing arbitrary code on a targeted system.  In addition, Symantec recommends that users block the affected ports from external network access.

This issue is formally resolved with the following special packs:

NetBackup DataCenter and NetBackup BusinesServer 4.5 Feature Pack track:  NB_45_9S1443_F (Dependency: All NetBackup 4.5 Feature Pack master, media, and client server machines must be at NetBackup Feature Pack 9 to apply special pack NB_45_9S1443_F.)

NetBackup DataCenter and NetBackup BusinesServer 4.5 Maintenance Pack track:  NB_45_9S1729_M (Dependency: All UNIX NetBackup 4.5 Maintenance Pack master, media, and client server machines must be at NetBackup Maintenance Pack 9 to apply special pack NB_45_9S1729_M)

The special packs listed above for NetBackup DataCenter and NetBackup BusinesServer are available at the following link, once applied, perform a full backup:    http://support.veritas.com/menu_ddProduct_NETBACKUPDC_view_DOWNLOAD.htm


NetBackup Enterprise Server and NetBackup Server 5.0:  NB_50_5S1320_M (Dependency: All NetBackup 5.0 master, media, and client server machines must be at NetBackup Maintenance Pack 5 to apply special pack NB_50_5S1320_M)

NetBackup Enterprise Server and NetBackup Server 5.1:  NB_51_3AS0949_M (Dependency: All NetBackup 5.1 master, media, and client server machines must be at NetBackup Maintenance Pack 3A to apply special pack NB_51_3AS0949_M)

NetBackup Enterprise Server and NetBackup Server 6.0:  NB_60_0S0007_M (No dependencies - apply the special pack NB_60_0S0007_M)

The special packs listed above for NetBackup Enterprise Server and NetBackup Server 5.0, 5.1, and 6.0 are available at the following link, once applied, perform a full backup:    http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm


Workaround:

WARNING!
While the only way to fully mitigate this security vulnerability is to properly patch NetBackup, there is a workaround which, if implemented, might allow needed time in larger environments for change control and patching.

If the following workaround is used, it needs to be WELL DOCUMENTED internally to ensure all operators and administrators involved with the NetBackup systems are aware of why the workaround is in place.  This is to prevent any administrators from inadvertently reversing the changes, leaving the unpatched machine again exposed to attack.

How to disable Java:
Edit the services file (and inetd.conf file on UNIX machines) and re-name bpjava-msvc on all effected machines until change control is available and the machine can be patched.  

For UNIX:
- Stop the inetd daemon.
- Comment out the bpjava-msvc line in the /etc/services file
    # bpjava-msvc     13722/tcp       bpjava-msvc
- Comment out the bpjava-msvc line in the /etc/inetd.conf file
    # bpjava-msvc     stream  tcp     nowait  root   /usr/openv/netbackup/bin/bpjava-msvc bpjava-msvc -transient
- Rename bpjava-msvc to bpjava-msvc.vulnerable or delete bpjava-msvc.
- Restart the inetd daemon

For Windows:
- Stop the NetBackup services.
- Rename bpjava-msvc.exe to bpjava-msvc.exe.vulnerable or delete bpjava-msvc.exe.
- If the Remote Java Console was installed, uninstall it until such time as the machine can be patched.
- Comment out bpjava-msvc in the <%SystemRoot%>\system32\drivers\etc\services file
    # bpjava-msvc 13722/tcp
- Restart the NetBackup services.

For Linux distributions using xinetd:

- Stop the xinetd daemon (/etc/init.d/xinetd stop)

- Remove /etc/xinetd.d/bpjava-msvc file. Or edit the file and change the value of 'disable' attribute to 'yes'. The modified file should be similar to,

- Rename bpjava-msvc to bpjava-msvc.vulnerable or delete bpjava-msvc.

- Restart the xinetd daemon (/etc/init.d/xinetd restart)

PLEASE NOTE -- On Windows, UNIX, and Linux servers, after disabling Java and restarting the daemons/services, confirm there are no Java sessions running, and if there are, terminate them.  

After implementing the above workaround, attempts to execute NetBackup Java functions on a machine utilizing this workaround will result in the following error: "NetBackup Status Code: 505
Message: Can not connect to the NB-Java authentication service on (host) on the configured port - (port_number).."

Alternative Management Utilities:

·
Best Practices:
As a part of security best practices, block/restrict external network access on port 13722/tcp.  Doing this prevents unauthorized, external attackers from accessing port 13722/tcp and attempting to exploit the vulnerability.  NOTE: Please be aware, blocking or restricting external access would not prevent internal exploit attempts.

In a recommended installation, access to NetBackup should be restricted to only trusted machines. The NetBackup server or clients should never be visible to the external network, which greatly reduces opportunities for unauthorized access.

Symantec Security Response has created IPS/IDS signatures to detect and prevent attempts to exploit this issue.

Symantec ManHunt 3.0 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_MH.html

Symantec Network Security Appliance 7100 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SNS.html

Symantec Gateway Security 2.0 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SGS.html

Symantec Client Security 2.0 and 3.0 signatures are available for update via LiveUpdate and from the Security Response Update Center at:
 http://www.symantec.com/avcenter/security/Content/Product/Product_SCS.html

Customers using Symantec Client Security 2.0 and 3.0 should have already uploaded this signature if they run LiveUpdate regularly. If not, Symantec recommends that customers manually run Symantec LiveUpdate to ensure they have the most current protection.

Mitigating Security Vulnerabilities:
In order to mitigate security vulnerabilities, Symantec strongly recommends reviewing your current security policy to ensure the following are included in the policy:

1.  Run NetBackup behind a firewall or some other external boundary protection that controls traffic coming in and off the network.
2.  Run  NetBackup with at least privilege access.
3.  If remote access is required, allow access to only those IP addresses requiring remote access.
4.  Deploy network intrusion detection systems to monitor network traffic for signs of malicious, anomalous, or suspicious activity.  This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities.

Symantec strongly recommends the following best practices:
1. Always perform a Full backup prior to and after any changes to your environment
2. Always make sure that your environment is running the latest version and patch level

If you have any questions or concerns about this issue, please don't hesitate to contact Symantec Enterprise Technical Support.

If you have not received this TechNote from the Symantec Email Notification Service as a Software Alert, please subscribe at the following link:

 http://maillist.support.veritas.com/subscribe.asp