1.0: May 7, 2017: Initial release
1.1: May 9, 2017: Added CVE
Remote command execution vulnerability in Veritas NetBackup Appliance allows unauthenticated users to execute arbitrary commands as root.
Unauthenticated users can execute arbitrary commands as root
7 May EEB for 2.7.2, 2.7.3 and 3.0
Unauthenticated users can execute arbitrary commands as root.
CVE ID: CVE-2017-8859
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
There is a remote command execution vulnerability in Veritas NetBackup Appliance that allows unauthenticated users to execute arbitrary commands as root, giving the attacker full access to the appliance and its data.
This issue existed because of insufficient filtering of user provided input.
- NetBackup Appliance 3.0, 2.7.3 and 2.7.2 and earlier
Note: NetBackup itself is not affected by this issue; it only affects the NetBackup appliance.
If you have any questions about any information in this security advisory please contact Veritas technical support.
Veritas would like to thank Matt Johnson of Morgan Stanley for reporting this vulnerability.
As part of normal best practices, Veritas recommends that customers:
- Restrict access of administration or management systems to privileged users.
- Restrict remote access, if required, to trusted/authorized systems only.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
500 East Middlefield Road
Mountain View, CA 94043
© 2017 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.