A critical issue has been identified in NetBackup PureDisk Remote Office Edition 6.2 through 6.5.1.2 where the product installs a version of VxAT (Symantec Product Authentication Services) that will expose passwords in the VRTSatlocal.conf file.

Article:TECH68403  |  Created: 2009-01-03  |  Updated: 2010-01-07  |  Article URL http://www.symantec.com/docs/TECH68403
Article Type
Technical Solution

Product(s)

Environment

Issue



A critical issue has been identified in NetBackup PureDisk Remote Office Edition 6.2 through 6.5.1.2 where the product installs a version of VxAT (Symantec Product Authentication Services) that will expose passwords in the VRTSatlocal.conf file.

Solution



Introduction:
NetBackup PureDisk versions 6.2 through 6.5.1.2 install a version of VxAT (Symantec Product Authentication Services) that experiences a condition where passwords are exposed in the /var/VRTSat/.VRTSat/profile/VRTSatlocal.conf file.
On affected PureDisk nodes, the account name and password will be present for the root account in PDOS (PureDisk Operating System).


What is Affected:
The following version(s) of NetBackup PureDisk Remote Office Edition are affected by this issue:
- NetBackup PureDisk Remote Office Edition 6.2 through 6.2.2
- NetBackup PureDisk Remote Office Edition 6.5 through 6.5.1.2

Important: This issue is specifically with VxAT and affects VxAT versions prior to 4.3.40, as these are the versions of VxAT installed with above PureDisk versions.  This issue is not known to affect NetBackup Server/Enterprise Server or NOM (NetBackup Operations Manager) at this time.  

However, any Symantec or Veritas products that utilize VxAT are potentially exposed to this issue, although the host application may or may not utilize VxAT in a way where passwords are exposed.


How to Determine if Affected:
If one of the affected versions of PureDisk listed above is being run on the Storage Pool Authority (SPA), then the node is affected.  The PDOS (PureDisk Operating System) root password on the SPA node will be present in the VRTSatlocal.conf file.

Additionally, If external LDAP (Lightweight Directory Protocol) authentication is configured in PureDisk to synchronize with Active Directory accounts, VRTSatlocal.conf will contain the account name and password for the PDOS root user AND the external OpenLDAP or Active Directory service user account if specified for this function.   This information will be available to any users with access to this file on the PureDisk Storage Pool Authority (SPA) node.


Workaround / Mitigation Procedures:
- Ensuring that node access is limited/restricted to only authorized/privileged users will help prevent exposure to this issue.  Specifically, ensure that access to /var/VRTSat/.VRTSat/profile/VRTSatlocal.conf is limited.

- Identify the Active Directory account specified in the external LDAP configuration, which synchronizes PureDisk with Active Directory. If applicable, specify a more suitable account with more specific (less broader) access.


Resolution:
Symantec has acknowledged that the above mentioned issue (Etracks 1516784, 1524064, 1530785) is present in the current version(s) of the product(s) mentioned at the end of this article.  Symantec is committed to product quality and satisfied customers.  Symantec reserves the right to remove any fixes should they not pass quality assurance testing.

This issue is tentatively scheduled to be addressed in the following release(s):
- NetBackup PureDisk Remote Office Edition 6.2.3
- NetBackup PureDisk Remote Office Edition 6.6

If one of the above releases are not yet available or cannot be applied, please contact Symantec Technical Support to discuss engineering binaries and support guided procedures that are available to address this issue.

Upon release, fixes will be available at the following link with download and readme information:    
 http://www.symantec.com/enterprise/support/overview.jsp?pid=52672

If further information becomes available, this document will be updated accordingly.  Subscribe to this document directly to be informed of any changes by clicking the following link:    http://maillist.support.veritas.com/notification.asp?doc=320551

Symantec Strongly Recommends the Following Best Practices:
1. Always perform a Full backup prior to and after any changes to your environment.
2. Always make sure that your environment is running the latest version and patch level.


How to Subscribe to Software Alerts:
If you have not received this TechNote from the Symantec Email Notification Service as a Software Alerts, please subscribe at the following link:    
 http://maillist.entsupport.symantec.com/subscribe.asp




Supplemental Materials

SourceETrack
Value1516784
DescriptionETrack (PureDisk) VRTSatlocal.conf contains password for Active Directory account in plain text.

SourceETrack
Value1524064
DescriptionETrack (PureDisk) VRTSatlocal.conf contains password for Active Directory account in plain text.

SourceETrack
Value1530785
DescriptionETrack (PureDisk) VRTSatlocal.conf contains password for Active Directory account in plain text.

Legacy ID



320551


Article URL http://www.symantec.com/docs/TECH68403


Terms of use for this information are found in Legal Notices