Symantec Security Advisory SYM07-010 - Veritas Storage Foundation for Windows: Veritas Volume Replicator, Denial of Service in Veritas Administrative Service

Article:TECH51544  |  Created: 2007-01-29  |  Updated: 2008-01-28  |  Article URL http://www.symantec.com/docs/TECH51544
Article Type
Technical Solution

Product(s)

Environment

Issue



Symantec Security Advisory SYM07-010 - Veritas Storage Foundation for Windows: Veritas Volume Replicator, Denial of Service in Veritas Administrative Service

Solution



Revision History

None

Severity

Low

Overview:

A Denial of Service (DoS) vulnerability has been identified and resolved in the Symantec Veritas Volume Replicator (VVR) option, specifically in the administrative service. Symantec VVR ships as a licensable option with Symantec Storage Foundation Solutions Suites. If the VVR option is installed, successful implementation of a DoS attack could terminate the service or, in some circumstances, resource exhaustion,  as a result of the DoS,  could lead to additional system degradation.

Affected Products and Versions:
  • Volume Manager 3.1 Hotfix 5 (VxVM+HF5)
  • Storage Foundation for Windows (SFW) 4.1
  • SFW 4.1 Rollup Patch (RP) 1
  • SFW 4.2
  • SFW 4.2 RP1
  • SFW 4.2 RP2
  • SFW 4.3
  • SFW 4.3 Maintenance Pack (MP) 1


To determine if the VVR option is installed on a system:

From a command prompt, run the command vxrvg.exe as system or domain administrator
If the command is not found, the VVR option is not installed and the system is not vulnerable
If the command is found, the system is vulnerable.

The Issue:

The DoS is caused by failure to properly validate incoming data passed to the VVR service. A specifically crafted packet passed to the vulnerable service could result in the VVR administrative service terminating unexpectedly. The VVR administration service will require a restart. This type of attack could also potentially lead to degraded application functions on the targeted system or to the overall system due to excessive CPU resource consumption during memory allocation attempts prior to VVR Administrative Service termination.
This DoS, if successfully exploited, will most likely be the result of an internal attack by a malicious user on the network since the affected service port should not normally be accessible externally to other than authorized users. Any potentially successful attack by a non-authorized remote attacker will most likely be a scenario of interactive user involvement by enticing a user to run or allow malicious code to be run that could successfully impact a vulnerable system.

Resolution:

Install the updated VRAS.DLL file for the correct product version and the correct operating system for Windows:
1. Copy the file VVR-DoS_288538.zip (Download Now link below) to a temporary location and then double click on the file to begin the extraction process.
2. Choose a location to extract the files and click Extract
3. After all files have been extracted,  click OK on the "All files have been extracted" notification prompt
4. Review the Readme.txt file for specific installation instructions

Note: Make sure to pick the correct operating system (32/64) and product version file for your server.

Directory structure of VVR-DoS_288538.zip:
    SFW 4.1\w2k\
    SFW 4.1\w2k3
    SFW 4.1 rp1\w2k
    SFW 4.1 rp1\w2k3
    SFW 4.2\w2k
    SFW 4.2\w2k3
    SFW 4.2 rp1\w2k
    SFW 4.2 rp1\w2k3
    SFW 4.2 rp2\w2k
    SFW 4.2 rp2\w2k3
    SFW 4.3\w2k
    SFW 4.3\w2k3
    SFW 4.3\w2k3-64
    SFW 4.3 mp1\w2k
    SFW 4.3 mp1\w2k3
    SFW 4.3 mp1\w2k3-64
    VM 3.1 Hotfix 5\w2k

Affected Binaries:
  • vras.dll - build 5.31.67.0 - VM 3.1+HF5
  • vras.dll - build 5.41.37.27 - SFW 4.1
  • vras.dll - build 5.41.41.0 - SFW 4.1 RP1
  • vras.dll - build 4.2.30.0 - SFW 4.2
  • vras.dll - build 4.2.100.104 - SFW 4.2 RP1
  • vras.dll - build 4.2.200.112 - SFW 4.2 RP2
  • vras.dll - build 4.3.0.219 - SFW 4.3
  • vras.dll - build 4.3.1000.350 - SFW 4.3 MP1

VxVM 3.1+HF5


Installation Procedure:
1. Stop the vxob service using the command net stop vxob. In case of a cluster, move the resource groups to another node of the cluster, prior to stopping the service
2. Back up the original vras.dll file from %systemdrive%\Program Files\VERITAS\ Volume Manager 3.1\
3. Copy the new vras.dll file to %systemdrive%\Program Files\VERITAS\ Volume Manager 3.1\
4. Start the vxob service using the command net start vxob
5. Repeat steps 1-4 on both primary and secondary hosts and on all nodes of the cluster

SFW 4.1 and SFW 4.1 RP1

Installation Procedure:
1. Stop the vxob service using the command net stop vxob. In case of a cluster, move the resource groups to another node of the cluster, prior to stopping the service
2. Back up the original vras.dll file from %systemdrive%\Program Files\VERITAS\VERITAS Volume Manager 4.1
3. Copy the new vras.dll file to %systemdrive%\Program Files\VERITAS\VERITAS Volume Manager 4.1\. If it is a Windows 2000 system, pick the new vras.dll from the w2k folder, if it is Windows 2003, pick it from the w2k3 folder.
4. Start the vxob service using the command net start vxob
5. Repeat steps 1-4 on both primary and secondary hosts and on all nodes of cluster

SFW 4.2, SFW 4.2 RP1, and SFW 4.2 RP2

Installation Procedure:
1. Stop the vxob service using the command net stop vxob.  In case of a cluster, move the resource groups to another node of the cluster, prior to stopping the service
2. Back up the original vras.dll file from %systemdrive%\Program Files\VERITAS\VERITAS Volume Manager 4.2\
3. Copy the new vras.dll file to %systemdrive%\Program Files\VERITAS\VERITAS Volume Manager 4.2\. If it is a Windows 2000 system, pick the new vras.dll file from the w2k folder; if it is Windows 2003, pick it from the w2k3 folder.
4. Start the vxob service using the command net start vxob
5. Repeat steps 1-4 on both the primary and the secondary hosts and on all nodes of cluster

SFW 4.3 and SFW 4.3 MP1

Installation Procedure:
1. Stop the vxob service using the command net stop vxob. In case of a cluster, move the resource groups to another node of the cluster, prior to stopping the service
2. Back up the original vras.dll file from %systemdrive%\Program Files\VERITAS\VERITAS Volume Manager 4.3\
3. For 32 bit systems, copy the new vras.dll file to %systemdrive%\Program Files\VERITAS\VERITAS Volume Manager 4.3\. If it is a Windows 2000 system, pick the new vras.dll file from the w2k folder, if it is Windows 2003, pick it from the w2k3 folder.
4. For 64 bit systems, copy the new vras.dll file to %systemdrive%\Program Files(x86)\VERITAS\VERITAS Volume Manager 4.3\. Pick the new vras.dll file from the W2K3-64 folder.
5. Start the vxob service using the command net start vxob
6. Repeat steps 1-5 on both primary and secondary hosts and on all nodes of cluster

Best Practices
As part of normal best practices, Symantec strongly recommends:
    · Restricting access to administration or management systems to privileged users.
    · Restricting remote access, if required, to trusted/authorized systems only.
    · Running under the principle of least privilege where possible to limit the impact of exploit by threats.
    · Keeping all operating systems and applications updated with the latest vendor patches.
    · Following a multi-layered approach to security. Run both firewall and anti-malware applications at a minimum to provide multiple points of detection and protection to both inbound and outbound threats.
    · Deploying network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities


CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2007-1593 to this issue. This issue is a candidate for inclusion in the CVE list (<http://cve.mitre.org> ), which standardizes names for security problems.


Credit:
Symantec would like to thank iDefense for reporting these issues and for providing full coordination while Symantec resolved them.


Attachments

VVR-DoS_288538.zip (3.4 MBytes)

Supplemental Materials

Value4100

SourceETrack
Value851561
DescriptioniDefense reported VVR security issue for VM 3.1+HF5

SourceETrack
Value851563
DescriptioniDefense reported VVR security issue for SFW 4.1

SourceETrack
Value851567
DescriptioniDefense reported VVR security issue for SFW 4.1 RP1

SourceETrack
Value851576
DescriptioniDefense reported VVR security issue for SFW 4.2

SourceETrack
Value851568
DescriptioniDefense reported VVR security issue for SFW 4.2 RP1

SourceETrack
Value851578
DescriptioniDefense reported VVR security issue for SFW 4.2 RP2

SourceETrack
Value851579
DescriptioniDefense reported VVR security issue for SFW 4.3

SourceETrack
Value851582
DescriptioniDefense reported VVR security issue for SFW 4.3 MP1

Legacy ID



288538


Article URL http://www.symantec.com/docs/TECH51544


Terms of use for this information are found in Legal Notices