Revisions

Last updated October 17, 2016

1.0.2: Fixed a typo 'date' to 'data'.

1.0.1: Clarified that NetBackup and OpsCenter are not affected by this vulnerability.  Clarified versions for which EEBs are available.

 

Severity

CVSS3 Base Score
Impact Exploitability CVSS3 Vector
Unauthenicated User Can Execute Arbitrary Commands as Root
10.0 6.0 3.9 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Overview.

A vulnerability has been identified in Veritas (formerly Symantec) NetBackup Appliance.  Using this vulnerability an unauthenicated attacker can execute arbitrary commands as root resulting in privileged access to the targeted system.

Affected Products

Product

 Version

Solution(s)

Veritas NetBackup Appliance

 2.6.x, 2.7.x

Apply EEB released on October 4, 2016 for 2.6.0.4, 2.6.1.2 or 2.7.3 as appropriate.  If using an earlier version than listed above, e.g. 2.6.0.3 or 2.7.2, you must upgrade to the latest version on the branch before applying the EEB.

Note: Neither NetBackup nor OpsCenter are affected by this vulnerability

Details

Veritas (formerly Symantec) was notified of a single security issue impacting NetBackup Appliance.

CVE-2016-7399: An unauthenticated attacker, with working knowledge of the NetBackup Appliance implementation, can execute arbitrary commands as root.  The attacker could use executables already present on the appliance to copy new, malicious executables to the system potentially resulting in total compromise of the appliance and all data on it.

Veritas Response

Veritas engineers verified this issue and resolved it in Veritas NetBackup Appliance hotfixes (EEBs) to recent releases as identified in the affected products matrix above.  Customers should upgrade and apply available hotfixes to avoid potential incidents of this nature.  See the TechNote for our how to obtain the EEBs.

Veritas is not aware of exploitation of or adverse customer impact from these issues.

Best Practices

As part of normal best practices, Veritas recommends that customers:

  • Restrict access of administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Credit

Veritas would like to thank Matthew Hall with SEC-1 for reporting this issue and coordinating with us as we resolved it.

References

CVE: This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

CVE

Description

CVE-2016-7399

Unauthenicated user can execute arbitrary commands as root

Veritas TechNote

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  Veritas CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
500 East Middlefield Road
Mountain View, CA 94043

http://www.veritas.com/

 

© 2016 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Get Support