VTS16-001: NetBackup Remote Access Vulnerabilities

April 26, 2016

Revisions

Last updated May 19, 2016

1.0.1: Added links to NVD entries for CVEs

Severity

CVSS2 Base Score
Impact Exploitability CVSS2 Vector
 Communications Protocol Remote Command Execution  
9.3 10 8.6 AV:N/AC:M/Au:N/C:C/I:C/A:C
Weak Key Exchange Exposure
7.9 10 5.5 AV:A/AC:M/Au:N/C:C/I:C/A:C
Management Services Allow Unauthorized RPC
9.3 10 8.6 AV:N/AC:M/Au:N/C:C/I:C/A:C

Overview

Multiple vulnerabilities have been identified in Veritas (formerly Symantec) NetBackup Master/ Media Servers and clients. An attacker, able to successfully access a vulnerable NetBackup host, could potentially execute arbitrary commands or operations resulting in possible unauthorized, privileged access to the targeted system.

Affected Products

Product

 Version

Solution(s)

Veritas NetBackup

 7.7.1, 7.6.1.x, 7.6.0.x,

 7.5.x.x, 7.1.x, 7.0.x

Upgrade to Veritas NetBackup 7.7.2 or apply security hotfix for 7.7, 7.6.1.2, 7.6.0.4, 7.5.0.7 as a minimum

Veritas NetBackup Appliance

2.7.1, 2.6.1.x, 2.6.0.x, 2.5.x, 2.0.x, 1.2.x, 1.1.x

Upgrade to Veritas NetBackup Appliance 2.7.2 or apply security hotfix for 2.6.1.2, 2.6.0.4, 2.5.4 as a minimum.

Details

Veritas (formerly Symantec) was notified of multiple security issues impacting NetBackup Appliance, Master servers, Media servers and Clients.

CVE-2015-6550: An attacker, familiar with the communications protocols used by NetBackup, can leverage access to a host.  Once access is obtained, the bpcd service fails to properly sanitize user input resulting in the potential to run arbitrary commands on the targeted system with privileged access.

CVE-2015-6551: Communications between the administration console and the NBU server is not sufficiently protected.  An attacker with access to the internal network, who is able to sniff network traffic, could capture and recover login credentials.  This could potentially lead to full privileged access to the targeted server.

NOTE:  NetBackup 7.6.1 (Appliance 2.6.1) and above uses TLS to protect login communications and is NOT impacted by this particular issue.

CVE-2015-6552: An attacker, with working knowledge of the NetBackup management services protocol and access to the network, could make any supported Remote Procedure Call (RPC) and fully compromise the NetBackup administration functionality.

It is recommended that Veritas NetBackup listening ports should not be visible to the external network.  Any attempt to exploit these would require internal network access either by an authorized network user or an external attacker able to gain unauthorized access to the network.

Veritas Response
Veritas engineers verified these issues and resolved them in Veritas NetBackup hotfixes to recent releases as identified in the affected products matrix above.  Customers should upgrade and apply available hotfixes to avoid potential incidents of this nature.

Veritas is not aware of exploitation of or adverse customer impact from these issues.

Additional details and access to Veritas NetBackup security hotfixes are available from: https://www.veritas.com/docs/000108183

Best Practices
As part of normal best practices, Veritas recommends that customers:

  • Restrict access of administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Credit
Veritas would like to thank Emilien Girault, with ANSSI, working through CERT-FR for reporting these issues and coordinating with us as we resolved it.

References

CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

CVE

Description

CVE-2015-6550

Communications Protocol Remote Command Execution

CVE-2015-6551

Weak Key Exchange Exposure

CVE-2015-6552

Management Services Allow Unauthorized RPC

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  Veritas CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
500 East Middlefield Road
Mountain View, CA 94043

http://www.veritas.com/

 

© 2016 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.