Revisions
1.0: February 28, 2017: Initial release
1.1: March 1, 2017: Fixed versions affected for Issue #6 (summary table was correct, detailed information was incorrect)
1.2: March 2, 2017: Added Veritas Access versions. Added CVEs that have been assigned to date.
1.3: March 8, 2017: Added remaining CVEs. Fixed Issues #3 and #10 to indicate they only affect the NetBackup Server, not the NetBackup client.
1.4: April 26, 2017: Added fix for Issue #6, link to Tech Alert.
1.5: September 26, 2017: Added issues fixed in NetBackup 8.1 and NetBackup Appliance 3.1.
Summary
Multiple vulnerabilities in Veritas NetBackup (NBU), Veritas NetBackup Appliance (NBA) and Veritas Access (VA).
Issue | Description | Severity | Fixed Version (NBU/NBA/VA) |
---|---|---|---|
1 |
Privileged remote command execution on NetBackup Server and Client |
Critical |
7.7.2 |
2 |
Critical |
7.7.2 |
|
3 |
Medium |
8.1 |
|
4 |
Privileged remote command execution on NetBackup Server and Client |
Critical |
7.7.2 |
5 |
Arbitrary privileged command execution using whitelist directory escape |
Critical |
7.7.2 |
6 |
Local arbitrary command execution when using bpcd and bpnbat |
High |
8.0 , EEB for 7.7.2 or 7.7.3 |
7 |
Critical |
8.1 |
|
8 |
High |
8.1 |
|
9 |
Low |
7.7 |
|
10 |
NetBackup Cloud Storage Service uses a hardcoded username and password |
Critical |
8.0 |
11 |
Critical |
8.1 |
Comments
- Beginning with Veritas Access 7.2, Access includes a version of the NetBackup client, therefore vulnerabilities that affect that component also affect Access.
- Veritas Resiliency Platform (VRP) 2.1 and InfoMap Agent 1.0 both include components of NetBackup, however neither is affected by any of these vulnerabilities.
- This advisory will be updated as fixes become available for the various affected products.
Issues
Issue #1
Privileged remote command execution on NetBackup Server and Client.
CVE ID: CVE-2017-6407
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
A local user on a NetBackup server can execute an arbitary command on the NetBackup server or cause the server to execute an arbitrary command on a connected NetBackup client. The command will execute with root/admin privileges.
Affected Products
- NetBackup Server and Client before 7.7.2
- NetBackup Appliance before 2.7.2
Issue #2
CVE ID: CVE-2017-6400
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
A local user on a NetBackup server or client can execute an arbitrary command on the local system. The command will execute with root/admin privileges. This is a separate issue from Issue #1 described above.
Affected Products:
- NetBackup Server and Client before 7.7.2
- NetBackup Appliance before 2.7.2
- Access 7.2.1 and earlier
Issue #3
Denial of service affecting NetBackup server
CVE ID: CVE-2017-6402
Severity: Medium
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
An authenticated user that can communicate with the NetBackup server can cause a denial of service.
Affected Products:
- NetBackup Server 8.0 and earlier
- NetBackup Appliance 3.0 and earlier
Issue #4
Privileged remote command execution on NetBackup Server and Client
CVE ID: CVE-2017-6399
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
A local user on a NetBackup server can execute an arbitrary command on the NetBackup server or cause the server to execute an arbitrary command on a connected NetBackup client. The command will execute with root/admin privileges. This is a different issue from Issues #1 and #2 above.
Affected products:
- NetBackup Server and Client before 7.7.2
- NetBackup Appliance before 2.7.2
- Access 7.2.1 and earlier
Issue #5
Arbitrary privileged command execution using whitelist directory escape
CVE ID: CVE-2017-6406
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
NetBackup services can execute commands on the local system from a whitelist of directories. A local user can escape that whitelist by using one or more “../” as part of a path to execute any command on the system.
Affected Products:
- NetBackup Server and Client before 7.7.2
- NetBackup Appliance before 2.7.2
- Access 7.2.1 and earlier
Issue #6
Local arbitrary command execution when using bpcd and bpnbat
CVE ID: CVE-2017-6401
Severity: High
CVSS v3 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
bpcd runs as root/admin and can execute any NetBackup command. bpnbat can execute any command on the local system. If bpcd is used to execute bpnbat then in combination they can be used to execute any command on the system as root/admin.
Affected Products:
- NetBackup Server and Client 7.7.2 and 7.7.3 before April 2017 EEB
- NetBackup Appliance before 2.7.2 and 2.7.3 before April 2017 EEB
- Access 7.2.1 and earlier
Issue #7
Host name based security allows DNS spoofing.
CVE ID: CVE-2017-6405
Severity: Critical
CVSS v3 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
NetBackup relies on host names to ensure that it is communicating with the correct client or server. This is vulnerable to DNS spoofing.
Affected Products:
- NetBackup Server and Client 8.0 and earlier
- NetBackup Appliance 3.0 and earlier
- Access 7.2.1 and earlier
Issue #8
Local privilege escalation race condition in pbx_exchange
CVE ID: CVE-2017-6408
Severity: High
CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
pbx_exchange creates sockets that any process can connect to and then changes the permissions so that only root processes can connect. In the time between creation and the permission change an unprivileged local process could connect to pbx_exchange and impersonate a legitimate component.
Affected Products:
- NetBackup Server and Client 8.0 and earlier
- NetBackup Appliance 3.0 and earlier
- Access 7.2.1 and earlier
Issue #9
World writable log files
CVE ID: CVE-2017-6404
Severity: Low
CVSS v3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
If logging is enabled many of the log files used by NetBackup are world writable, allowing an attacker to corrupt those files.
Affected Products:
- NetBackup Server and Client before 7.7
- NetBackup Appliance before 2.7
Issue #10
NetBackup Cloud Storage Service uses a hardcoded username and password
CVE ID: CVE-2017-6403
Severity: Critical
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
The NetBackup Cloud Storage Service connector uses a hardcoded username and password. An attacker using these credentials can query and modify the configuration and delete data.
Affected Products:
- NetBackup Server before 8.0
- NetBackup Appliance before 3.0
Issue #11
Unauthenticated CORBA interfaces
CVE ID: CVE-2017-6409
Severity: Critical
CVSS v3 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Unauthenticated CORBA interfaces permit an attacker to affect the confidentiality, integrity and availability of NetBackup.
Affected Products:
- NetBackup Server and Client 8.0 and earlier
- NetBackup Appliance 3.0 and earlier
- Access 7.2.1 and earlier
References
Questions
If you have any questions about any information in this security advisory please contact Veritas technical support or your Veritas sales representative.
Acknowledgement
Veritas would like to thank Sven Blumenstein, Xiaoran Wang and Andrew Griffiths from the Google Security Team for reporting these vulnerabilities.
Best Practices
As part of normal best practices, Veritas recommends that customers:
- Restrict access of administration or management systems to privileged users.
- Restrict remote access, if required, to trusted/authorized systems only.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
500 East Middlefield Road
Mountain View, CA 94043
© 2017 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.