Symantec Security Advisory SYMC06-015: Symantec's Veritas NetBackup (tm) 6.0 PureDisk Remote Office Edition: Non-Privileged User Authentication Bypass Elevation of Privilege

Article:TECH48800  |  Created: 2006-01-14  |  Updated: 2007-01-17  |  Article URL http://www.symantec.com/docs/TECH48800
Article Type
Technical Solution


Environment

Issue



Symantec Security Advisory SYMC06-015: Symantec's Veritas NetBackup (tm) 6.0 PureDisk Remote Office Edition: Non-Privileged User Authentication Bypass Elevation of Privilege

Solution



Symantec Security Advisory

SYM06-015

16 August 2006

Symantec's Veritas NetBackup (tm) PureDisk Remote Office Edition:  Non-Privileged User Authentication Bypass Elevation of Privilege

Revision History
None

Severity
Medium (highly dependent on network configuration)

 
Type of ExploitVulnerable
Remote AccessYes
Local AccessNo
Authentication RequiredYes (to network)
Exploit publicly availableNo


Overview
Symantec discovered a security issue in Symantec's Veritas NetBackup 6.0 PureDisk Remote Office Edition. An unauthorized user with access to the network and the server hosting the management interface can potentially bypass the management interface authentication to gain access and elevate their privileges on the system.

Supported Product(s) Affected
 
ProductVersionBuildsSolution
Symantec Veritas NetBackup PureDisk Remote Office Edition6.0GA, MP1NB_PDE_60_MP1_P01


NOTE: For systems running NetBackup 6.0 GA PureDisk Remote Office Edition, it will be necessary to install Maintenance Pack 1 (NB_PDE_60_MP1_283808) prior to applying this Security Pack (NB_PDE_60_MP1_P01_284636), which can be found below, in the "Related Documents" section.  This issue ONLY affects the product versions and builds listed above (6.0 and 6.0 MP1).

Details
An internal review revealed a potential elevation of privilege issue in the Symantec Veritas NetBackup PureDisk management interface.  The management interface is accessible only through a Secure Sockets Layer (SSL) Web connection by default.  However it is possible for a non-privileged user with access to the network and the server hosting the Symantec Veritas NetBackup PureDisk management interface, to bypass the management interface authentication and further leverage their access to elevate privileged access on the server

Symantec Response
Symantec Engineers have addressed the issues identified above and made a Security update available.  Symantec strongly recommends all customers apply the latest security update to protect against threats of this nature.  Symantec knows of no exploitation of or adverse customer impact from these issues.

The Maintenance Pack listed above, NB_PDE_60_MP1_P01, for affected Symantec's Veritas NetBackup PureDisk Remote Office Edition releases, is available in the "Related Documents" section below, or from the Support Web site at:    http://support.veritas.com/menu_ddProduct_NBUPDROE_view_DOWNLOAD.htm

Best Practices
As part of normal best practices, Symantec recommends:
  • Restrict access to administration or management systems to authorized privileged users only
  • Block remote access to all ports not essential for efficient operation
  • Restrict remote access, if required, to trusted/authorized systems only
  • Remove/disable unnecessary accounts or restrict access according to security policy as required
  • Run under the principle of least privilege where possible
  • Keep all operating systems and applications updated with the latest vendor patches
  • Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats
  • Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latest vulnerabilities
CVE
A CVE candidate number will be requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised accordingly upon receipt of the CVE Candidate name.  This issue is a candidate for inclusion in the CVE list which standardizes names for security problems.    http://cve.mitre.org/

If you have not received this as a Software Alert from the Symantec Email Notification Service, please visit the following link to subscribe:    http://maillist.support.veritas.com/subscribe.asp . To receive notifications of critical technical issues, like this one, select "Software Alerts" for each product running in your environment. To receive monthly updates on new or republished TechNotes, select "Digest" updates.




Legacy ID



284734


Article URL http://www.symantec.com/docs/TECH48800


Terms of use for this information are found in Legal Notices