Symantec Security Advisory SYM09-002: A non-privileged but authorized system user could potentially leverage the NetBackup network daemon (vnetd) to attempt to gain elevated privileges on the server.

Details:

Symantec Security Advisory
SYM09-002

17 February 2009

Symantec NetBackup Communications Setup Elevation of Privilege

Revision History
None

Severity
High

Affected	Yes / No
Remote Access (adjacent network)	Yes
Local Access	No
Authentication Required	No
Exploit Available	No

Overview
A non-privileged but authorized system user could potentially leverage the Veritas network daemon (vnetd) to attempt to gain elevated privileges on the system.

Affected Products
The following products are affected on all platforms:

Symantec Veritas NetBackup Server / Enterprise Server 5.x
Symantec Veritas NetBackup Server / Enterprise Server 6.0 through 6.0 MP7
Symantec Veritas NetBackup Server / Enterprise Server 6.5 through 6.5.3

Note: NetBackup 5.x and versions prior to those listed above are NOT supported. Customers running legacy product versions should upgrade and apply available updates.

Details
During the normal process of an administrative login, the Symantec Veritas NetBackup server communicates with the client via the Veritas network daemon, vnetd. This communication process does not properly sanitize server-supplied data during initial communications setup. This could allow a non-privileged user with access to the target host's local network to insert arbitrary code of their choice on the system which could then potentially execute on the system with administrative privileges. Exploitation could possibly result in memory corruption and denial of service or, if successfully exploited, could potentially allow a malicious user to gain administrative privileges on the targeted host.

Symantec Response
Symantec engineers have verified that the vulnerability exists in the versions of Veritas NetBackup listed above. The following updates have been released to resolve the issue:

NetBackup 6.0 Maintenance Pack 7 Security Patch 1 (6.0 MP7 S01)
NetBackup 6.5 Release Update 3 Hotfix 1 (6.5.3.1)

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

The updates and additional information for affected products are linked below. They are also available at the Support Web site at:
http://www.symantec.com/enterprise/support/overview.jsp?pid=15143

Best Practices
As part of normal best practices, Symantec strongly recommends:

Restrict access to administration or management systems to privileged users.
Restrict remote access, if it is required, to trusted/authorized systems only.
Run under the principle of least privilege where possible to limit the impact of potential exploits.
Keep all operating systems and applications updated with the latest vendor patches.
Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Credit
Symantec would like to thank the National Australia Bank's Security Assurance team for identifying this issue and working closely with us during resolution.

References
SecurityFocus ( http://www.securityfocus.com ) has assigned BID 33772 to this issue.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2009-0651 to this issue. This issue is included in the CVE list ( http://cve.mitre.org ) which standardizes names for security problems.

Supplemental Material:

System: Ref.#	Description
ETrack: 1479578	VULN-48

Products Applied:
NetBackup Enterprise Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP4, 5.0 MP5, 5.0 MP6, 5.0 MP7, 5.1, 5.1 MP1, 5.1 MP2, 5.1 MP3, 5.1 MP4, 5.1 MP5, 5.1 MP6, 5.1 MP7, 6.0, 6.0 MP1, 6.0 MP2, 6.0 MP3, 6.0 MP4, 6.0 MP5, 6.0 MP6, 6.0 MP7, 6.5, 6.5.1, 6.5.2, 6.5.3
NetBackup Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP5, 5.0 MP6, 5.0 MP7, 5.1, 5.1 MP1, 5.1 MP2, 5.1 MP3, 5.1 MP4, 5.1 MP5, 5.1 MP6, 5.1 MP7, 6.0, 6.0 MP1, 6.0 MP2, 6.0 MP3, 6.0 MP4, 6.0 MP5, 6.0 MP6, 6.0 MP7, 6.5, 6.5.1, 6.5.2, 6.5.3

Last Updated: March 09 2009 03:35 PM GMT
Expires on: 01-21-2010

Subscribe to receive critical updates about this document

Subjects:
NetBackup Enterprise Server
   Publishing Status: Techalert
   Security: Outside Researcher
NetBackup Server
   Publishing Status: Techalert
   Security: Outside Researcher

Languages:
English (US)

Operating Systems:
NetWare

5.1, 6.0, 6.5

Windows 2000

Advanced Server SP4, Datacenter Server SP4, SAK, Server SP4

AIX

5.1, 5.2, 5.3, 6.1

TRU64

5.1B

HP-UX

11.0, 11.11, 11i v2 (IA64), 11i v2 (PA-RISC), 11iv3

OpenVMS (VAX)

5.5, 6.0, 6.2, 7.1, 7.2, 7.3

IRIX

6.5.23, 6.5.24, 6.5.25, 6.5.26, 6.5.27, 6.5.28

Solaris

10, 8.0, 9.0

Linux

Open Enterprise Server, RHEL (ES) 3.0 (zSeries), RHEL 3.0 (AS, ES, WS), RHEL 4.0, RHEL 5, Red Flag DC Server 4.1, Red Flag DC Server 5.0 SP1, RedHat Enterprise Server 2.1 (AS, ES, WS), SLES 10, SLES 8, SLES 9

OpenVMS (Alpha)

6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2

Windows XP

5.2

Windows Server 2003

DataCenter SP1, Enterprise ServerSP1, R2, Standard Server SP1, Web Server SP1

FreeBSD

5.3, 5.4, 6.0, 6.3, 7.0

VMWare ESX

3.0

Citrix MetaFrame

1.8, XPe

Mac OS X

10.3, 10.4, 10.5

Windows Vista

Business RC2, Enterprise RC2, Ultimate RC2

Windows Server 2008

DataCenter (x64-64bit), DataCenter (x86-32bit), Enterprise (x64-64bit), Enterprise (x86-32bit), Standard (x64-64bit), Standard (x86-32bit), Web Server (x64-64bit), Web Server (x86-32bit)

Symantec World Headquarters:
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com

THE INFORMATION PROVIDED IN THE SYMANTEC SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYMANTEC SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SYMANTEC SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF SYMANTEC SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.