Revisions

  • 1.0: November 5, 2019, initial release

Summary

Arbitrary command injection vulnerability in the Cluster Server (VCS) component of Veritas InfoScale, Cluster Server, Storage Foundation and High Availability Solutions products.

Issue Description Severity
1 When configured in non-secure mode there is a command injection vulnerability in the Veritas Cluster Server (VCS) component of the Veritas InfoScale Availability and Veritas InfoScale Enterprise products. This vulnerability also exists in earlier VCS and the Storage Foundation and High Availability Solutions (SFHA) products. Critical

 

Patches Available

Note: "InfoScale" below refers to both InfoScale Availability and InfoScale Enterprise

Product version/Supported Platform RHEL 6, RHEL 7, SLES 11, SLES 12 Solaris 11 SPARC, AIX Solaris 11 x86 Solaris 10 SPARC Windows
InfoScale 7.4.1 7.4.1.1200
7.4.1.1100
7.4.1.1100 Not applicable Patch_7_4_10002_3982225
InfoScale 7.3.1 7.3.1.1100
7.3.1.1100 7.3.1.1100 Not applicable Patch_7_3_10002_3982224
VCS/SFHA 6.2.1 6.2.1.1100
6.2.1.1100
Not applicable 6.2.1.1100 Not applicable
VCS/SFWHA 6.1 Not applicable Not applicable Not applicable Not applicable Patch_6_1_00032_3982226

 

Downloads

Issues

Issue #1

There is a command injection vulnerability in the Cluster Server component of an affected product when a cluster is configured in the non-secure mode. This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands as either root or administrator on the system potentially allowing the attacker to take control of the system.

CVE ID: To be assigned
Severity: Critical
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Affected Products

  • InfoScale Availability 7.4.1 and earlier on all platforms
  • InfoScale Enterprise 7.4.1 and earlier on all platforms
  • Cluster Server 6.2.1 and earlier for UNIX/Linux platforms
  • Cluster Server 6.1 and earlier for Windows
  • Storage Foundation HA 6.2.1 and earlier for UNIX/Linux platforms
  • Storage Foundation HA 6.1 and earlier for Windows

Mitigations

  • If your product is at a version for which no fix is available and you do not want to upgrade to the latest version, you can enable the secure mode for the existing clusters to mitigate the vulnerability. For details on how to do this, refer to the “Enabling and disabling secure mode for the cluster” section in the Cluster Server Administrator’s Guide of the applicable UNIX platform and product version or to the “Configuring the cluster using the Cluster Configuration Wizard” section in the Cluster Server Administrator’s Guide of the applicable product version for Windows.
  • If it is not feasible to either upgrade the product or to enable the secure mode for existing clusters, you can mitigate the vulnerability by using a firewall to restrict access to port 14150 to only those systems that are used to administer the product.

 

Questions

If you have any questions about any information in this security advisory please contact Veritas technical support.

 

Best Practices

As part of normal best practices, Veritas recommends that customers:

  • Restrict access of administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054

http://www.veritas.com/

 

© 2019 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.