Samba vulnerability in NetBackup Appliances - CVE-2017-7494

Samba vulnerability in NetBackup Appliances - CVE-2017-7494

Article: 100034094
Last Published: 2018-01-18
Ratings: 0 0
Product(s): Appliances

Problem

CVSS Base Score: 7.5 

A remote code execution flaw was found in the Samba versions that are used in the NetBackup Appliances.
A malicious authenticated Samba client, having write access to the Samba share, could use this flaw to execute arbitrary code as root.

NetBackup Appliance software versions 2.7.1 - 3.0 are affected by this vulnerability.


Note: This vulnerability does not affect the NetBackup and OpsCenter software applications.

 

Error Message

Security scanners will report this issue as a high severity vulnerability for Samba packages used in the NetBackup Appliance.

Cause

NetBackup Appliance software versions 2.7.1 - 3.0 use the affected Samba packages.

 

Solution

Emergency Engineering Binaries (EEBs) are available to fix this vulnerability on the following releases of the NetBackup appliances:

 - 2.7.2, 2.7.3 and 3.0.

Apply the appropriate EEB for your version.

Before installing the EEB, note the following:

  • To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
  • This EEB must be installed on both the master server appliances and all associated media server appliances.
  • A reboot is not required after EEB installation.
  • If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.

For instructions on installing EEBs, refer to article number 000076512 by clicking the Related Articles link on this page.

Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.
  • This vulnerability has been fixed in NetBackup Appliance software version 3.1.

Note: To mitigate this vulnerability, NetBackup appliances do not use the Samba packages directly from samba.org. Instead, the appliances use Samba packages that are provided by Red Hat for Red Hat Enterprise Linux (RHEL) Server 6. Click on the following link for more details:
https://access.redhat.com/errata/RHSA-2017:1270

Most security scanners validate this vulnerability by checking the fixed version from samba.org and not from the Red Hat site. Even after installing the appropriate EEB, those scanners may still report this vulnerability on a NetBackup appliance. In that scenario, this vulnerability can be treated as a false positive.

Was this content helpful?