This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects attempt to exploit a remote code execution vulnerability in VRTSWeb by sending specially crafted requests.
VRTSweb is a wrapper over apache tomcat, and is used by products that have a web-interface. VRTSweb listens on port 14300 for administrative connections. This port is configurable by the product, but defaults to 14300. We have seen 14444 also being used instead.
A maliciously crafted xml request on this port can cause arbitrary code execution from a location of attackers choice (over SMB mounts in Windows, and NFS mounts in Unix). If remote code execution is not possible, it can execute code from the same server from any location.
This code gets executed in administrator/root context, and may lead to a full compromise of the victim server running VRTSweb
This remote code typically is in the form of .war archives.
Almost all versions of VRTSweb are affected, and almost all products using VRTSweb on both, Windows and Unix (Linux, HP-UX, Solaris, AIX) are affected.
- Symantec Backup Exec CP Server (BE CPS)11.0, 12.0, 12.5 All
- Symantec Veritas NetBackup (NBU) with NetBackup Operations Manager (NOM) installed 6.0.x, 6.5.x Windows, Solaris
- Symantec Veritas NetBackup RealTime Protection 6.5 All
- Symantec Veritas Backup Reporter (VBR) 6.0.x, 6.2.x, 6.5.x, 6.6 Windows, Solaris
- Symantec Veritas Storage Foundation (SF) 3.5 onwards All
- Symantec Veritas Storage Foundation for Windows (SFW) ?? All
- Symantec Veritas Storage Foundation for High Availability (SFHA) 3.5 onwards All
- Symantec Veritas Storage Foundation Manager (SFM) 1.0, 1.1, 1.1.1Ux, 1.1.1Win, 2.0 All
- Symantec Veritas Cluster Server Management Console (VCSMC) 5.0, 5.1, 5.5 All
- Symantec Veritas Storage Foundation Cluster File System (SFCFS) 3.5 (HP-UX), 4.0, 4.1, 5.0 (AIX, HP-UX, Linux, Solaris) Various
- Symantec Veritas Cluster Server Traffic Director ?? All
- Symantec Veritas Application Director (VAD) 1.x, 1.1 PE, 1.1 PE-RPx All
- Symantec Veritas Cluster Server One (VCSOne) 2.x All
- Symantec Veritas Storage Foundation for Oracle (SFO) 4.1 (HP-UX, Solaris)
- 5.0 (AIX, HP-UX, Linux, Solaris)
- 5.0.1 (HP-UX) Various
- Symantec Veritas Storage Foundation for DB2 4.1 (Solaris, Linux)
- 5.0 (Solaris, AIX, Linux) Various
- Symantec Veritas Storage Foundation for Sybase 4.1, 5.0 Solaris
- Symantec Veritas Command Central Storage (CCS) 4.3, 5.0 GA, 5.0 MP1, 5.0 MP1 RP1-RP6, 5.1 All
- Symantec Veritas Command Central Enterprise Reporter (CC-ER) 5.0 GA, 5.0 MP1, 5.0 MP1RP1, 5.1 All
- Symantec Veritas Command Central Storage Change Manager (CC-SCM) 5.1 All
- Symantec Veritas Virtual Infrastructure (VxVI) 1.0, 1.0SP1 Linux
- Symantec Veritas MicroMeasure 5.0 All
- Only the versions listed above are affected.
- NetBackup is affected only if NetBackup Operations Manager (NOM) is installed.
- PureDisk is not vulnerable in the default configuration
Vendor has released Patches