Symantec Security Advisory

SYM05-024

November 8, 2005

VERITAS NetBackup 5.x:  Buffer Overflow in Shared Library used by Volume Manager Daemon

Revision History

1/16/2006 -Exploit code for this issue is publicly available; however, the signatures identified in the lower portion of this TechNote have been tested with this latest exploit code and the signatures do detect it.

1/17/2006 - The Formal Resolution of this document has been updated, as the "Formal" maintenance packs containing the fix for this issue have been released and are available.  The links to both the security packs and the formal maintenance packs are listed below, in the Related Documents section.

Severity
HIGH

 

Type	Affected
Remote Access	Yes
Local Access	No
Authentication Required	No
Exploit publicly available	Yes

Overview

A buffer overflow vulnerability exists in a shared library used by the VERITAS NetBackup volume manager daemon (vmd) running on VERITAS NetBackup 5.x servers and clients.  Successful exploitation of this overflow condition could possibly allow a malicious attacker to create a denial of service disrupting backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system.

Affected Product(s)
 

Product	Version	Build	Platform	Solution
NetBackup Enterprise Server/Server/Client	5.0	All	All	NB_50_5S2_M
NetBackup Enterprise Server/Server/Client	5.1	All	All	NB_51_3AS2_M

Product(s) Not Affected
 

Product	Version	Build	Platform
NetBackup DataCenter and BusinesServer	4.5 MP, FP	All	All
NetBackup Enterprise Server/Server/Client	6.0	All	All

Details
iDefense Labs notified Symantec of a buffer overflow vulnerability in VERITAS NetBackup that could potentially allow a remote attacker to cause a denial of service or to execute arbitrary code.  The vulnerability was initially found in the NetBackup vmd daemon but further analysis revealed the problem occurs in a shared library used by vmd possibly impacting other daemons using that shared library also.  The buffer overflow condition is due to improper bounds checking of user input.  If a remote attacker were able to gain access to the affected library through one of the daemons and successfully exploit this vulnerability, they could potentially disrupt backup capabilities or possibly execute arbitrary code with elevated privileges on the targeted system.

A list of iDefense Labs vulnerabilities can be found at:
 http://www.idefense.com/application/poi/display?type=vulnerabilities


Formal Resolution
This issue is formally resolved in the following NetBackup Enterprise Server/Server Security Packs:

Cumulative Security Pack NB_50_5S2, for NetBackup Enterprise Server/Server 5.0 Maintenance Pack 5 (MP5)
Security pack NB_50_5S2 is a cumulative security pack that includes prior security packs, such as NB_50_5S1320_M. Once applying NB_50_5S2, do not apply any preceding security packs.  In order to apply Security Pack NB_50_5S2, NetBackup 5.0 Maintenance Pack 5 (MP5) must first be applied.

Cumulative Security Pack NB_51_3AS2, for NetBackup Enterprise Server/Server 5.1 Maintenance Pack 3A (MP3A)
Security pack NB_51_3AS2 is a cumulative security pack that includes prior security packs, such as NB_51_3AS0949_M. Once applying NB_51_3AS2, do not apply any preceding security packs.  In order to apply Security Pack NB_51_3AS2, NetBackup 5.1 Maintenance Pack 3A (MP3A) must first be applied.

The cumulative security packs listed above for NetBackup 5.0 and 5.1 are available from the following location:    http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm

This following maintenance packs also contain the formal resolution for this issue:  

The maintenance packs listed above can also be found at the following link:    http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm



Symantec Response
Symantec Engineers have verified this issue ONLY impacts NetBackup 5.x.  Symantec has made security updates available for the supported VERITAS NetBackup 5.x  products. Symantec strongly recommends all customers immediately apply the latest cumulative updates for their supported product versions to protect against these types of threats.

As mentioned previously, the cumulative security packs and the maintenance packs listed above for NetBackup 5.0 and 5.1 are available from the following location:
 http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm


NOTE:  In a recommended installation, VERITAS NetBackup should be restricted to trusted access only. The VERITAS NetBackup Server or clients should never be visible external to the network which greatly reduces opportunities for unauthorized remote access.


Symantec Security Response will release IPS/IDS signatures to detect and prevent attempts to exploit this issue.

Symantec ManHunt 3.0 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_MH.html

Symantec Network Security Appliance 7100 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SNS.html

Symantec Gateway Security 3.0 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SGS.html

Symantec Client Security 2.0 and 3.0 signatures are available for update via LiveUpdate and from the Security Response Update Center at:
 http://www.symantec.com/avcenter/security/Content/Product/Product_SCS.html

Customers using Symantec Client Security 2.0 and 3.0 should receive frequent signature updates if they run LiveUpdate regularly. If not, Symantec recommends customers manually run Symantec LiveUpdate to ensure they have the most current protection available.

As part of normal best practices, Symantec strongly recommends:

Mitigating Security Vulnerabilities
In order to mitigate security vulnerabilities, Symantec strongly recommends reviewing your current security policy to ensure the following are included in the policy:

1.  Run NetBackup behind a firewall or other external boundary protection that controls traffic coming in and out of the network.  Also, block external access to the ports that NetBackup utilizes.  Default ports from a standard NetBackup installation are listed below.
 

Process	Default Port
visd	9284
vmd	13701
acsd	13702
tl8cd	13705
odld	13706
ts8d	13709
tldcd	13711
tl4d	13713
tsdd	13714
tshd	13715
tlmd	13716
tlhcd	13717
lmfcd	13718
rsmd	13719
bprd	13720
bpdbm	13721
bpjava-msvc	13722
bpjobd	13723
vnetd	13724
bpcd	13782
vopied	13783
nbdbd	13784

2.  Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
3.  If remote access is required, allow access to only those IP addresses requiring remote access.
4.  Deploy network intrusion detection systems to monitor network traffic for signs of malicious, anomalous, or suspicious activity.  This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities.

Symantec strongly recommends the following best practices:
1. Always perform a Full backup prior to and after any changes to your environment.
2. Always make sure that your environment is running the latest version and patch level.

If you have not received this TechNote from the Symantec Email Notification Service as a Software Alerts, please subscribe at the following link:
 http://maillist.support.veritas.com/subscribe.asp

Please check this document periodically for any updates.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CAN-2005-3116 (  http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=2005-3116 ) to this issue.
This issue is a candidate for inclusion in the CVE list (  http://cve.mitre.org ), which standardizes names for security problems.

Credit:
Symantec would like to thank iDefense Labs for reporting this issue and for providing coordination while Symantec resolved it.