Document ID: 308583
http://support.veritas.com/docs/308583
E-Mail this document to a colleague
http://support.veritas.com/docs/308583
E-Mail this document to a colleague
Symantec Advisory SYM08-016: A non-privileged but authorized user could potentially leverage the NetBackup Java console to execute code with elevated privileges on the server.
Details:
Overview:
A non-privileged but authorized user could potentially leverage Symantec Veritas NetBackup Java Administration Graphical User Interface (GUI) to execute code with elevated privileges on the server.
Affected Products:
The following versions of NetBackup Server and Enterprise Server are affected on all platforms:
A non-privileged but authorized user could potentially leverage Symantec Veritas NetBackup Java Administration Graphical User Interface (GUI) to execute code with elevated privileges on the server.
Affected Products:
The following versions of NetBackup Server and Enterprise Server are affected on all platforms:
- NetBackup 5.0 (GA and all maintenance packs)
- NetBackup 5.1 (GA through MP6)
- NetBackup 6.0 (GA through MP6)
- NetBackup 6.5
- NetBackup 6.5.1
Details:
The Java Administration GUI (jnbSA) in affected versions of Veritas NetBackup could potentially allow an authorized but non-privileged user to run commands which would normally require a higher privilege to execute. The malicious user would need to be authenticated on the system and logged in to the GUI in order to attempt to exploit this vulnerability.
Symantec Response:
Symantec engineers have verified that the vulnerability exists in the versions of Veritas NetBackup listed above. Updates have been released to resolve the issue.
Symantec is not aware of any customers impacted by this issue, nor of any attempts to exploit the issue.
Resolution:
The formal resolution to this issue is included in the following patch releases:
The Java Administration GUI (jnbSA) in affected versions of Veritas NetBackup could potentially allow an authorized but non-privileged user to run commands which would normally require a higher privilege to execute. The malicious user would need to be authenticated on the system and logged in to the GUI in order to attempt to exploit this vulnerability.
Symantec Response:
Symantec engineers have verified that the vulnerability exists in the versions of Veritas NetBackup listed above. Updates have been released to resolve the issue.
Symantec is not aware of any customers impacted by this issue, nor of any attempts to exploit the issue.
Resolution:
The formal resolution to this issue is included in the following patch releases:
- NetBackup 5.1 Maintenance Pack 7 (MP7)
- NetBackup 6.0 Maintenance Pack 7 (MP7)
- NetBackup 6.5 Release Update 2 (6.5.2)
Note: No
further maintenance pack releases for NetBackup 5.0 are planned at this
time. NetBackup 5.x reached its End of Support Life on March 31,
2008. Customers running legacy product versions should upgrade and apply
available updates.
These patches are available from the following locations:
NetBackup 5.1 MP7: http://www.symantec.com/business/support/downloads.jsp?pid=15143&version=NBUESVRPVER30455
NetBackup 6.0 MP7: http://www.symantec.com/business/support/downloads.jsp?pid=15143&version=NBUESVRPVER32168
NetBackup 6.5.2: http://www.symantec.com/business/support/downloads.jsp?pid=15143&version=NBUESVRPVER31008
Mitigation:
A successful attacker must be logged in to the GUI to launch an attack. Access to the NetBackup server should be limited to trusted users.
Customers who want to limit exposure to any possibility of this type of attempt prior to upgrading can disable the Java GUI by moving the bpjava* binaries out of /usr/openv/netbackup/bin (UNIX/Linux) or <install_path>\VERITAS\Netbackup\bin (Windows).
Best Practice:
As part of normal best practices, Symantec strongly recommends:
These patches are available from the following locations:
NetBackup 5.1 MP7: http://www.symantec.com/business/support/downloads.jsp?pid=15143&version=NBUESVRPVER30455
NetBackup 6.0 MP7: http://www.symantec.com/business/support/downloads.jsp?pid=15143&version=NBUESVRPVER32168
NetBackup 6.5.2: http://www.symantec.com/business/support/downloads.jsp?pid=15143&version=NBUESVRPVER31008
Mitigation:
A successful attacker must be logged in to the GUI to launch an attack. Access to the NetBackup server should be limited to trusted users.
Customers who want to limit exposure to any possibility of this type of attempt prior to upgrading can disable the Java GUI by moving the bpjava* binaries out of /usr/openv/netbackup/bin (UNIX/Linux) or <install_path>\VERITAS\Netbackup\bin (Windows).
Best Practice:
As part of normal best practices, Symantec strongly recommends:
- Restrict access to administration or management systems to privileged users.
- Restrict remote access, if it is required, to trusted/authorized systems only.
- Run under the principle of least privilege where possible to limit the impact of potential exploits.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
Credit:
Symantec would like to thank Kyle Noonan of Sun Microsystems for reporting this issue and coordinating with us on the response.
Reference:
SecurityFocus ( http://www.securityfocus.com ) has assigned BID 31221 to this issue.
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list ( http://cve.mitre.org ), which standardizes names fo security problems. A CVE Candidate name has been requested from the Common Vulnerabilities and Exposures (CVE) initia ve for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name.
Symantec would like to thank Kyle Noonan of Sun Microsystems for reporting this issue and coordinating with us on the response.
Reference:
SecurityFocus ( http://www.securityfocus.com ) has assigned BID 31221 to this issue.
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list ( http://cve.mitre.org ), which standardizes names fo security problems. A CVE Candidate name has been requested from the Common Vulnerabilities and Exposures (CVE) initia ve for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name.
Supplemental Material:
| System: Ref.# | Description |
| ETrack: 1175871 | SYM08-016 |
Acknowledgements
Sun
Sun
Products Applied:
NetBackup Enterprise Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP4, 5.0 MP5, 5.0 MP6, 5.0 MP7, 5.1, 5.1 MP1, 5.1 MP2, 5.1 MP3, 5.1 MP4, 5.1 MP5, 5.1 MP6, 5.1 MP7 (Fixed), 6.0, 6.0 MP1, 6.0 MP2, 6.0 MP3, 6.0 MP4, 6.0 MP5, 6.0 MP6, 6.0 MP7 (Fixed), 6.5, 6.5.1, 6.5.2 (Fixed)
NetBackup Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP4, 5.0 MP5, 5.0 MP6, 5.0 MP7, 5.1, 5.1 MP1, 5.1 MP2, 5.1 MP3, 5.1 MP4, 5.1 MP5, 5.1 MP6, 5.1 MP7 (Fixed), 6.0, 6.0 MP1, 6.0 MP2, 6.0 MP3, 6.0 MP4, 6.0 MP5, 6.0 MP6, 6.0 MP7 (Fixed), 6.5, 6.5.1, 6.5.2 (Fixed)
NetBackup Enterprise Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP4, 5.0 MP5, 5.0 MP6, 5.0 MP7, 5.1, 5.1 MP1, 5.1 MP2, 5.1 MP3, 5.1 MP4, 5.1 MP5, 5.1 MP6, 5.1 MP7 (Fixed), 6.0, 6.0 MP1, 6.0 MP2, 6.0 MP3, 6.0 MP4, 6.0 MP5, 6.0 MP6, 6.0 MP7 (Fixed), 6.5, 6.5.1, 6.5.2 (Fixed)
NetBackup Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP4, 5.0 MP5, 5.0 MP6, 5.0 MP7, 5.1, 5.1 MP1, 5.1 MP2, 5.1 MP3, 5.1 MP4, 5.1 MP5, 5.1 MP6, 5.1 MP7 (Fixed), 6.0, 6.0 MP1, 6.0 MP2, 6.0 MP3, 6.0 MP4, 6.0 MP5, 6.0 MP6, 6.0 MP7 (Fixed), 6.5, 6.5.1, 6.5.2 (Fixed)
Last Updated: September 24 2008 03:01 PM GMT
Expires on: 09-16-2009
Subscribe to receive critical updates about this document
Expires on: 09-16-2009
Subscribe to receive critical updates about this document
Subjects:
NetBackup Enterprise Server
Publishing Status: Techalert
Security: Customer, Outside Researcher
NetBackup Server
Security: Customer, Outside Researcher, Symantec Employee
NetBackup Enterprise Server
Publishing Status: Techalert
Security: Customer, Outside Researcher
NetBackup Server
Security: Customer, Outside Researcher, Symantec Employee
Languages:
English (US)
English (US)
Operating Systems:
NetWare
NetWare
6.0 SP2, 6.0 SP3, 6.5, 6.5 SP2
Windows 2000
Datacenter Server SP4, SAK, Server SP4
AIX
5.1, 5.2, 5.3
TRU64
5.1B
HP-UX
11.0, 11.11, 11i v2 (IA64), 11i v2 (PA-RISC)
Solaris
10, 8.0, 9.0
Linux
RHAS 2.1, RHEL 3.0 (AS), RHEL 3.0 (ES), RHEL 4.0, Red Flag AS 4.1, Red Flag DC Server 4.1, SLES 8, SLES 9, SLES 9 (IA64)
Windows Server 2003
DataCenter SP1, DataCenter SP1(IA64), Enterprise (IA64), Enterprise ServerSP1, R2, Standard Server SP1, Standard Server(x64), Storage Server, Web Server SP1
Symantec World Headquarters:
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com
THE INFORMATION PROVIDED IN THE SYMANTEC SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYMANTEC SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SYMANTEC SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF SYMANTEC SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.