Overview:
Symantec VRTSweb, a shared component shipped with many Symantec Veritas products, is susceptible to a remote code execution vulnerability.  NetBackup is affected if NetBackup Operations Manager (NOM) or Veritas Backup Reporter (VBR) are used.   Symantec Veritas NetBackup RealTime Protection includes the VRTSweb component, but is not affected in the default configuration

Other Symantec products outside of the NetBackup Family are also affected.   This alert is being issued in conjunction with a Security Advisory, which can be found in the Related Documents section below.


What is affected:
-  NetBackup Operations Manager (NOM) versions 6.0 GA - 6.5.5, on all supported platforms.
-  Veritas Backup Reporter (VBR) versions 6.0 GA - 6.6, on all supported platforms.


Additional Notes:
Symantec Veritas NetBackup RealTime Protection includes the VRTSweb component, but is not vulnerable by default as the affected port (14300) is blocked.  If this port is opened, then the workaround below would need to be followed in order to mitigate this issue.


Mitigation / Workaround:
Symantec Security Response has released an IPS/IDS signature, Signature ID 23335 (TCP VRTSWeb Remote Code Exec), to detect and block attempts to exploit this issue. Signature is available through normal update channels.

VRTSweb listens on port 14300 (by default).  Blocking all incoming requests on this port for the host in question will reduce the risk associated with this vulnerability until the recommended fix is applied.  Note that localhost or 127.0.0.1 requests on 14300 must be allowed for VRTSweb to work.  Therefore, only external (outside the machine/host) requests need to be blocked in order to mitigate this issue.


Formal Resolution:
Symantec has acknowledged that the above mentioned issue (Etrack 1237778, 1708316) is present in the current version(s) of the product(s) mentioned at the end of this article.

The formal resolution to this issue is currently scheduled for the following releases:

-  NetBackup Operations Manager (NOM) version 6.5.6.  In addition, the VRTSweb component itself will not be utilized in the next Major Release of NetBackup.

-  Veritas Backup Reporter (VBR) version 6.6.2.   Also, Veritas Backup Reporter functionality will be available in the next major release and will not be vulnerable to this issue.

This issue will also be addressed in any forthcoming 6.0 maintenance packs.  If using an affected 6.0 version and cannot upgrade (for any reason), please implement the workaround above.

If further information becomes available about this issue, this document will be updated accordingly.  Subscribe to this document directly to be informed of any changes by clicking the following link:    http://maillist.support.veritas.com/notification.asp?doc=326110

Best Practices:

Symantec strongly recommends the following best practices:

1. Always perform a full backup prior to and after any changes to your environment

2. Always make sure that your environment is running the latest version and patch level

3. Perform periodic "test" restores

4. Subscribe to technical articles / alerts

Article Subscription:

Subscribe to this TechNote for any updates that are made to this article, by clicking on the following link: http://maillist.support.veritas.com/notification.asp?doc=326110

Software Alerts:

If you have not received this from the Symantec Technical Support Email Notification Service, please click on the following link to subscribe to future notifications:  http://maillist.entsupport.symantec.com/subscribe.asp