Symantec Advisory SYM05-024: Exploitation of a buffer overflow vulnerability in VERITAS NetBackup (tm) Enterprise Server/Server 5.0 and 5.1 could potentially lead to a remote Denial Of Service or remote code execution. (Updated January 17, 2006.)

Article:TECH44258  |  Created: 2006-01-17  |  Updated: 2006-01-17  |  Article URL http://www.symantec.com/docs/TECH44258
Article Type
Technical Solution

Product(s)

Environment

Issue



Symantec Advisory SYM05-024: Exploitation of a buffer overflow vulnerability in VERITAS NetBackup (tm) Enterprise Server/Server 5.0 and 5.1 could potentially lead to a remote Denial Of Service or remote code execution. (Updated January 17, 2006.)

Solution



Symantec Security Advisory

SYM05-024

November 8, 2005

VERITAS NetBackup 5.x:  Buffer Overflow in Shared Library used by Volume Manager Daemon

Revision History
1/16/2006 -Exploit code for this issue is publicly available; however, the signatures identified in the lower portion of this TechNote have been tested with this latest exploit code and the signatures do detect it.
1/17/2006 - The Formal Resolution of this document has been updated, as the "Formal" maintenance packs containing the fix for this issue have been released and are available.  The links to both the security packs and the formal maintenance packs are listed below, in the Related Documents section.

Severity
HIGH

 
TypeAffected
Remote AccessYes
Local AccessNo
Authentication RequiredNo
Exploit publicly availableYes


Overview

A buffer overflow vulnerability exists in a shared library used by the VERITAS NetBackup volume manager daemon (vmd) running on VERITAS NetBackup 5.x servers and clients.  Successful exploitation of this overflow condition could possibly allow a malicious attacker to create a denial of service disrupting backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system.

Affected Product(s)
 
ProductVersionBuildPlatformSolution
NetBackup Enterprise Server/Server/Client5.0AllAllNB_50_5S2_M
NetBackup Enterprise Server/Server/Client5.1AllAllNB_51_3AS2_M


Product(s) Not Affected
 
ProductVersionBuildPlatform
NetBackup DataCenter and BusinesServer4.5 MP, FPAllAll
NetBackup Enterprise Server/Server/Client6.0AllAll


Details
iDefense Labs notified Symantec of a buffer overflow vulnerability in VERITAS NetBackup that could potentially allow a remote attacker to cause a denial of service or to execute arbitrary code.  The vulnerability was initially found in the NetBackup vmd daemon but further analysis revealed the problem occurs in a shared library used by vmd possibly impacting other daemons using that shared library also.  The buffer overflow condition is due to improper bounds checking of user input.  If a remote attacker were able to gain access to the affected library through one of the daemons and successfully exploit this vulnerability, they could potentially disrupt backup capabilities or possibly execute arbitrary code with elevated privileges on the targeted system.

A list of iDefense Labs vulnerabilities can be found at:
 http://www.idefense.com/application/poi/display?type=vulnerabilities


Formal Resolution
This issue is formally resolved in the following NetBackup Enterprise Server/Server Security Packs:

Cumulative Security Pack NB_50_5S2, for NetBackup Enterprise Server/Server 5.0 Maintenance Pack 5 (MP5)
Security pack NB_50_5S2 is a cumulative security pack that includes prior security packs, such as NB_50_5S1320_M. Once applying NB_50_5S2, do not apply any preceding security packs.  In order to apply Security Pack NB_50_5S2, NetBackup 5.0 Maintenance Pack 5 (MP5) must first be applied.

Cumulative Security Pack NB_51_3AS2, for NetBackup Enterprise Server/Server 5.1 Maintenance Pack 3A (MP3A)
Security pack NB_51_3AS2 is a cumulative security pack that includes prior security packs, such as NB_51_3AS0949_M. Once applying NB_51_3AS2, do not apply any preceding security packs.  In order to apply Security Pack NB_51_3AS2, NetBackup 5.1 Maintenance Pack 3A (MP3A) must first be applied.

The cumulative security packs listed above for NetBackup 5.0 and 5.1 are available from the following location:    http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm

This following maintenance packs also contain the formal resolution for this issue:  
  • NetBackup Enterprise Server/Server 5.0 Maintenance Pack 6 (MP6)
  • NetBackup Enterprise Server/Server 5.1 Maintenance Pack 4 (MP4)
The maintenance packs listed above can also be found at the following link:    http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm



Symantec Response
Symantec Engineers have verified this issue ONLY impacts NetBackup 5.x.  Symantec has made security updates available for the supported VERITAS NetBackup 5.x  products. Symantec strongly recommends all customers immediately apply the latest cumulative updates for their supported product versions to protect against these types of threats.

As mentioned previously, the cumulative security packs and the maintenance packs listed above for NetBackup 5.0 and 5.1 are available from the following location:
 http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm


NOTE:  In a recommended installation, VERITAS NetBackup should be restricted to trusted access only. The VERITAS NetBackup Server or clients should never be visible external to the network which greatly reduces opportunities for unauthorized remote access.


Symantec Security Response will release IPS/IDS signatures to detect and prevent attempts to exploit this issue.

Symantec ManHunt 3.0 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_MH.html

Symantec Network Security Appliance 7100 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SNS.html

Symantec Gateway Security 3.0 signatures are available for update from the Symantec Security Response Update Center at:
 http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SGS.html

Symantec Client Security 2.0 and 3.0 signatures are available for update via LiveUpdate and from the Security Response Update Center at:
 http://www.symantec.com/avcenter/security/Content/Product/Product_SCS.html

Customers using Symantec Client Security 2.0 and 3.0 should receive frequent signature updates if they run LiveUpdate regularly. If not, Symantec recommends customers manually run Symantec LiveUpdate to ensure they have the most current protection available.

As part of normal best practices, Symantec strongly recommends:
  • Restricting access to administration or management systems to privileged users.
  • Restricting remote access, if required, to trusted/authorized systems only.
  • Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
  • Keeping all operating systems and applications updated with the latest vendor patches.
  • Following a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploying network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Mitigating Security Vulnerabilities
In order to mitigate security vulnerabilities, Symantec strongly recommends reviewing your current security policy to ensure the following are included in the policy:

1.  Run NetBackup behind a firewall or other external boundary protection that controls traffic coming in and out of the network.  Also, block external access to the ports that NetBackup utilizes.  Default ports from a standard NetBackup installation are listed below.
 
ProcessDefault Port
visd9284
vmd13701
acsd13702
tl8cd13705
odld13706
ts8d13709
tldcd13711
tl4d13713
tsdd13714
tshd13715
tlmd13716
tlhcd13717
lmfcd13718
rsmd13719
bprd13720
bpdbm13721
bpjava-msvc13722
bpjobd13723
vnetd13724
bpcd13782
vopied13783
nbdbd13784

2.  Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
3.  If remote access is required, allow access to only those IP addresses requiring remote access.
4.  Deploy network intrusion detection systems to monitor network traffic for signs of malicious, anomalous, or suspicious activity.  This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities.

Symantec strongly recommends the following best practices:
1. Always perform a Full backup prior to and after any changes to your environment.
2. Always make sure that your environment is running the latest version and patch level.

If you have not received this TechNote from the Symantec Email Notification Service as a Software Alerts, please subscribe at the following link:
 http://maillist.support.veritas.com/subscribe.asp

Please check this document periodically for any updates.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CAN-2005-3116 (  http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=2005-3116 ) to this issue.
This issue is a candidate for inclusion in the CVE list (  http://cve.mitre.org ), which standardizes names for security problems.

Credit:
Symantec would like to thank iDefense Labs for reporting this issue and for providing coordination while Symantec resolved it.



Supplemental Materials

SourceETrack
Value429810
DescriptionEtrack (NetBackup) 429810

SourceETrack
Value376483
DescriptionEtrack (NetBackup) 376483

SourceETrack
Value376808
DescriptionEtrack (NetBackup) 376808

SourceETrack
Value494041
DescriptionEtrack (NetBackup) 494041


Legacy ID



279553


Article URL http://www.symantec.com/docs/TECH44258


Terms of use for this information are found in Legal Notices