search menu icon-carat-right cmu-wordmark

CERT Coordination Center

VERITAS NetBackup library buffer overflow vulnerability

Vulnerability Note VU#574662

Original Release Date: 2005-11-14 | Last Revised: 2006-01-16

Overview

A buffer overflow in VERITAS NetBackup may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

According to Symantec/VERITAS:

A vulnerability has been confirmed in the NetBackup Volume Manager daemon (vmd). By sending a specially crafted packet to the Volume Manager, a stack overflow occurs. This is caused by improper bounds checking. Exploitation does not require authentication, thereby allowing a remote attacker to take over the system or disrupt the backup capabilities. Further testing and code inspection has revealed that all other NetBackup 5.1 daemons are potentially affected in the same manner. Therefore, any Master Servers, Media Servers, Clients and Console machines at this version level are subject to this vulnerability. However, NetBackup 5.1 database agents are not affected by this issue.

For more information, please refer to Symantec Advisory SYM05-024.

Please note that exploit code for this vulnerability is publicly available.

Impact

A remote, unauthenticated attacker may be able to trigger this buffer overflow by sending a vulnerable NetBackup installation a specially crafted packet. Exploitation may allow that attacker to execute arbitrary code with root or SYSTEM privileges.

Solution

Apply Patches

Please see the Symantec Updates & Downloads page for patches to correct this vulnerability.

Restrict access

You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the NetBackup services. Symantec/VERITAS provided the following table of default ports for NetBackup processes:

Process
Default Port
visd
9284
vmd
13701
acsd
13702
tl8cd
13705
odld
13706
ts8d
13709
tldcd
13711
tl4d
13713
tsdd
13714
tshd
13715
tlmd
13716
tlhcd
13717
lmfcd
13718
rsmd
13719
bprd
13720
bpdbm
13721
bpjava-msvc
13722
bpjobd
13723
vnetd
13724
bpcd
13782
vopied
13783
nbdbd
13784

Restricting access to these ports will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

Vendor Information

574662
 

Symantec, Inc. Affected

Notified:  November 14, 2005 Updated: November 15, 2005

Status

Affected

Vendor Statement

According to Symantec/VERITAS, information regarding this vulnerability and its remediation is available at http://seer.support.veritas.com/docs/279553.htm.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Veritas Backup-Exec Affected

Updated:  November 15, 2005

Status

Affected

Vendor Statement

According to Symantec/VERITAS, information regarding this vulnerability and its remediation is available at http://seer.support.veritas.com/docs/279553.htm.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was reported by Symantec, who credits iDefense Labs with providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2005-3116
Severity Metric: 24.81
Date Public: 2005-11-08
Date First Published: 2005-11-14
Date Last Updated: 2006-01-16 18:08 UTC
Document Revision: 42

Sponsored by CISA.