Revisions

1.0: March 18, 2019: Initial release
1.1: March 19, 2019: Added CVE IDs

Summary

Multiple vulnerabilities in Veritas NetBackup Appliance.

Issue Description Severity Fixed Version
1 SMTP password displayed to administrator Medium March 2019 EEB
2 Proxy server password displayed to administrator Medium March 2019 EEB

 

Issues

Issue #1

SMTP password displayed to administrator.

CVE ID: CVE-2019-9868
Severity: Medium
CVSS v3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)

When using the NetBackup Appliance Web Console, if an SMTP password has been previously configured for use, an administrator can retrieve the password for the account if one has been specified, even if SMTP is not currently active. This exposes the full account credentials to the administrator allowing him to access the SMTP server for other purposes, e.g. to change the password thus preventing the appliance from sending email.

Affected Products

  • NetBackup Appliance 3.1.2, 3.1.1, 3.1, 3.0, 2.7.3, and possibly earlier, unsupported versions without the March 2019 EEB installed

 

Issue #2

Proxy server password displayed to administrator.

CVE ID: CVE-2019-9867
Severity: Medium
CVSS v3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)

When using the NetBackup Appliance Web Console, if a proxy server password has been previously configured for use, an administrator can retrieve the password for the account, even if Call Home or the Proxy Server are not currently active. This exposes the full account credentials to the administrator allowing the administrator to access the proxy server for other purposes, e.g. to change the password thus preventing the appliance from using the proxy server.

Note: For NetBackup Appliance 3.1.1 and 3.1.2 “<saved>” is displayed instead of the actual password, however the password can be found in the HTML of the page.


Affected Products

  • NetBackup Appliance 3.1.2, 3.1.1, 3.1, 3.0, 2.7.3, and possibly earlier, unsupported versions without the March 2019 EEB installed

 

References

 

Questions

If you have any questions about any information in this security advisory please contact Veritas technical support.

 

Best Practices

As part of normal best practices, Veritas recommends that customers:

  • Restrict access of administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
500 East Middlefield Road
Mountain View, CA 94043

http://www.veritas.com/

 

© 2019 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.