Document ID: 285984
http://support.veritas.com/docs/285984
E-Mail this document to a colleague
http://support.veritas.com/docs/285984
E-Mail this document to a colleague
Symantec Security Advisory SYMC06-023: Symantec's Veritas NetBackup (tm) 6.0 PureDisk Remote Office Edition: PHP update to Address Reported Security Vulnerability
Details:
Symantec Security Advisory
SYM06-023
27 November 2006
Symantec's Veritas NetBackup (tm) 6.0 PureDisk Remote Office Edition: PHP update to Address Reported Security Vulnerability
Reference: http://www.securityfocus.com/bid/20879/
Revision History
None
Severity
High (configuration dependent)
Overview
Symantec has released an update to address a security concern in PHP, a commonly used HTML-embedded scripting language, for Symantec's Veritas NetBackup 6.0 PureDisk Remote Office Edition. A heap overflow has been reported in the version of PHP shipped with the affected product builds listed below. The management interface of Symantec's product is accessible only through an SSL connection by default. Depending on configuration, however; an unauthorized user could potentially attempt to execute arbitrary code in the context of the vulnerable server, which runs in non-privileged mode by default.
Affected Product/Version
Not Affected
Symantec Response
Symantec engineers have addressed the reported issue and provided Security updates. Symantec strongly recommends all customers apply the latest security update identified above or upgrade to Symantec Veritas NetBackup PureDisk Remote Office Edition 6.1 to protect against threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from this issue.
The Maintenance Pack listed above, NB_PDE_60_MP1_S01, requires that NetBackup PureDisk 6.0 Maintenance Pack 1 (MP1) and MP1 Patch 1 (MP1_P01) already be applied on the system. For NetBackup PureDisk 6.0 GA servers it will be necessary to install both MP1 and MP1_P01 prior to applying this security pack. Symantec's Veritas NetBackup PureDisk Remote Office Edition (NB_PDE_60_MP1_S01) is available below, in the "Related Documents" section.
Best Practices
As part of normal best practices, Symantec recommends:
SYM06-023
27 November 2006
Symantec's Veritas NetBackup (tm) 6.0 PureDisk Remote Office Edition: PHP update to Address Reported Security Vulnerability
Reference: http://www.securityfocus.com/bid/20879/
Revision History
None
Severity
High (configuration dependent)
| Type of Exploit | Vulnerable |
|---|---|
| Remote Access | Yes |
| Local Access | No |
| Authentication Required | Yes (to network) |
| Exploit publicly available | No |
Overview
Symantec has released an update to address a security concern in PHP, a commonly used HTML-embedded scripting language, for Symantec's Veritas NetBackup 6.0 PureDisk Remote Office Edition. A heap overflow has been reported in the version of PHP shipped with the affected product builds listed below. The management interface of Symantec's product is accessible only through an SSL connection by default. Depending on configuration, however; an unauthorized user could potentially attempt to execute arbitrary code in the context of the vulnerable server, which runs in non-privileged mode by default.
Affected Product/Version
| Product | Version | Build | Solution(s) |
|---|---|---|---|
| Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms) | 6.0 | GA, MP1 | NB_PDE_60_MP1_S01 |
Not Affected
| Product | Version |
|---|---|
| Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms) | 6.1 |
Symantec Response
Symantec engineers have addressed the reported issue and provided Security updates. Symantec strongly recommends all customers apply the latest security update identified above or upgrade to Symantec Veritas NetBackup PureDisk Remote Office Edition 6.1 to protect against threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from this issue.
The Maintenance Pack listed above, NB_PDE_60_MP1_S01, requires that NetBackup PureDisk 6.0 Maintenance Pack 1 (MP1) and MP1 Patch 1 (MP1_P01) already be applied on the system. For NetBackup PureDisk 6.0 GA servers it will be necessary to install both MP1 and MP1_P01 prior to applying this security pack. Symantec's Veritas NetBackup PureDisk Remote Office Edition (NB_PDE_60_MP1_S01) is available below, in the "Related Documents" section.
Best Practices
As part of normal best practices, Symantec recommends:
- Restrict access to administration or management systems to authorized privileged users only
- Block remote access to all ports not essential for efficient operation
- Restrict remote access, if required, to trusted/authorized systems only
- Remove/disable unnecessary accounts or restrict access according to security policy as required
- Run under the principle of least privilege where possible
- Keep all operating systems and applications updated with the latest vendor patches
- Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats
- Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latest vulnerabilities
CVE
CVE-2006-5465 has been assigned to this issue.
This issue is a candidate for inclusion in the CVE list, which standardizes names for security problems. http://cve.mitre.org
How to Subscribe to Software Alerts
If you have not received this as a Software Alert from the Symantec Email Notification Service, please visit the following link to subscribe: http://maillist.entsupport.symantec.com/subscribe.asp . To receive notifications of critical technical issues, like this one, select "Software Alerts" for each product running in your environment. To receive monthly updates on new or republished TechNotes, select "Digest" updates.
CVE-2006-5465 has been assigned to this issue.
This issue is a candidate for inclusion in the CVE list, which standardizes names for security problems. http://cve.mitre.org
How to Subscribe to Software Alerts
If you have not received this as a Software Alert from the Symantec Email Notification Service, please visit the following link to subscribe: http://maillist.entsupport.symantec.com/subscribe.asp . To receive notifications of critical technical issues, like this one, select "Software Alerts" for each product running in your environment. To receive monthly updates on new or republished TechNotes, select "Digest" updates.
Products Applied:
NetBackup PureDisk 6.0, 6.0 MP1
NetBackup PureDisk 6.0, 6.0 MP1
Last Updated: November 29 2006 04:01 PM GMT
Expires on: 365 days from publish date
Subscribe to receive critical updates about this document
Expires on: 365 days from publish date
Subscribe to receive critical updates about this document
Subjects:
NetBackup PureDisk
Publishing Status: Techalert
NetBackup PureDisk
Publishing Status: Techalert
Languages:
English (US)
English (US)
Operating Systems:
Linux
Linux
PDOS 6.0
Symantec World Headquarters:
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com
THE INFORMATION PROVIDED IN THE SYMANTEC SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYMANTEC SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SYMANTEC SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF SYMANTEC SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.