Problem

Symantec Advisory SYM05-024: Exploitation of a buffer overflow vulnerability in VERITAS NetBackup (tm) Enterprise Server/Server 5.0 and 5.1 could potentially lead to a remote Denial Of Service or remote code execution. (Updated January 17, 2006.)

Solution
Symantec Security Advisory SYM05-024 November 8, 2005 VERITAS NetBackup 5.x: Buffer Overflow in Shared Library used by Volume Manager Daemon Revision History 1/16/2006 -Exploit code for this issue is publicly available; however, the signatures identified in the lower portion of this TechNote have been tested with this latest exploit code and the signatures do detect it. 1/17/2006 - The Formal Resolution of this document has been updated, as the "Formal" maintenance packs containing the fix for this issue have been released and are available. The links to both the security packs and the formal maintenance packs are listed below, in the Related Documents section. Severity HIGH

Type Remote Access Local Access

Affected Yes No

Authentication Required No Exploit publicly available Yes

Overview A buffer overflow vulnerability exists in a shared library used by the VERITAS NetBackup volume manager daemon (vmd) running on VERITAS NetBackup 5.x servers and clients.

Successful exploitation of this overflow condition could possibly allow a malicious attacker to create a denial of service disrupting backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system. Affected Product(s) Product Version Build Platform Solution All All All All NB_50_5S2_M NB_51_3AS2_M

NetBackup Enterprise Server/Server/Client 5.0 NetBackup Enterprise Server/Server/Client 5.1

Product(s) Not Affected Product Version Build Platform NetBackup DataCenter and BusinesServer 4.5 MP, FP All All NetBackup Enterprise Server/Server/Client 6.0 All All

Details iDefense Labs notified Symantec of a buffer overflow vulnerability in VERITAS NetBackup that could potentially allow a remote attacker to cause a denial of service or to execute arbitrary code. The vulnerability was initially found in the NetBackup vmd daemon but further analysis revealed the problem occurs in a shared library used by vmd possibly impacting other daemons using that shared library also. The buffer overflow condition is due to improper bounds checking of user input. If a remote attacker were able to gain access to the affected library through one of the daemons and successfully exploit this vulnerability, they could potentially disrupt backup capabilities or possibly execute arbitrary code with elevated privileges on the targeted system. A list of iDefense Labs vulnerabilities can be found at: http://www.idefense.com/application/poi/display?type=vulnerabilities

Formal Resolution This issue is formally resolved in the following NetBackup Enterprise Server/Server Security Packs: Cumulative Security Pack NB_50_5S2, for NetBackup Enterprise Server/Server 5.0 Maintenance Pack 5 (MP5) Security pack NB_50_5S2 is a cumulative security pack that includes prior security packs, such as NB_50_5S1320_M. Once applying NB_50_5S2, do not apply any preceding security packs. In order to apply Security Pack NB_50_5S2, NetBackup 5.0 Maintenance Pack 5 (MP5) must first be applied. Cumulative Security Pack NB_51_3AS2, for NetBackup Enterprise Server/Server 5.1

Maintenance Pack 3A (MP3A) Security pack NB_51_3AS2 is a cumulative security pack that includes prior security packs, such as NB_51_3AS0949_M. Once applying NB_51_3AS2, do not apply any preceding security packs. In order to apply Security Pack NB_51_3AS2, NetBackup 5.1 Maintenance Pack 3A (MP3A) must first be applied. The cumulative security packs listed above for NetBackup 5.0 and 5.1 are available from the following location: http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm This following maintenance packs also contain the formal resolution for this issue: NetBackup Enterprise Server/Server 5.0 Maintenance Pack 6 (MP6) NetBackup Enterprise Server/Server 5.1 Maintenance Pack 4 (MP4) The maintenance packs listed above can also be found at the following link: http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm

Symantec Response Symantec Engineers have verified this issue ONLY impacts NetBackup 5.x. Symantec has made security updates available for the supported VERITAS NetBackup 5.x products. Symantec strongly recommends all customers immediately apply the latest cumulative updates for their supported product versions to protect against these types of threats. As mentioned previously, the cumulative security packs and the maintenance packs listed above for NetBackup 5.0 and 5.1 are available from the following location: http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm

NOTE: In a recommended installation, VERITAS NetBackup should be restricted to trusted access only. The VERITAS NetBackup Server or clients should never be visible external to the network which greatly reduces opportunities for unauthorized remote access.

Symantec Security Response will release IPS/IDS signatures to detect and prevent attempts to exploit this issue. Symantec ManHunt 3.0 signatures are available for update from the Symantec Security Response Update Center at: http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_MH.html Symantec Network Security Appliance 7100 signatures are available for update from the Symantec Security Response Update Center at: http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SNS.html Symantec Gateway Security 3.0 signatures are available for update from the Symantec Security

Response Update Center at: http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_SGS.html Symantec Client Security 2.0 and 3.0 signatures are available for update via LiveUpdate and from the Security Response Update Center at: http://www.symantec.com/avcenter/security/Content/Product/Product_SCS.html Customers using Symantec Client Security 2.0 and 3.0 should receive frequent signature updates if they run LiveUpdate regularly. If not, Symantec recommends customers manually run Symantec LiveUpdate to ensure they have the most current protection available. As part of normal best practices, Symantec strongly recommends: Restricting access to administration or management systems to privileged users. Restricting remote access, if required, to trusted/authorized systems only. Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this. Keeping all operating systems and applications updated with the latest vendor patches. Following a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. Deploying network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities Mitigating Security Vulnerabilities In order to mitigate security vulnerabilities, Symantec strongly recommends reviewing your current security policy to ensure the following are included in the policy: 1. Run NetBackup behind a firewall or other external boundary protection that controls traffic coming in and out of the network. Also, block external access to the ports that NetBackup utilizes. Default ports from a standard NetBackup installation are listed below. Process visd vmd acsd tl8cd odld ts8d tldcd tl4d tsdd Default Port 9284 13701 13702 13705 13706 13709 13711 13713 13714

tshd tlmd tlhcd lmfcd rsmd bprd bpdbm bpjobd vnetd bpcd vopied nbdbd

13715 13716 13717 13718 13719 13720 13721 13723 13724 13782 13783 13784

bpjava-msvc 13722

2. Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this. 3. If remote access is required, allow access to only those IP addresses requiring remote access. 4. Deploy network intrusion detection systems to monitor network traffic for signs of malicious, anomalous, or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities. Symantec strongly recommends the following best practices: 1. Always perform a Full backup prior to and after any changes to your environment. 2. Always make sure that your environment is running the latest version and patch level. If you have not received this TechNote from the Symantec Email Notification Service as a Software Alerts, please subscribe at the following link: http://maillist.support.veritas.com/subscribe.asp Please check this document periodically for any updates. CVE The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CAN-2005-3116 ( http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=2005-3116 ) to this issue. This issue is a candidate for inclusion in the CVE list ( http://cve.mitre.org ), which standardizes names for security problems. Credit: Symantec would like to thank iDefense Labs for reporting this issue and for providing coordination while Symantec resolved it.