Note: This is an archival copy of Security Sun Alert 253287 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020160.1.
6803212, 6803215, 6797673, 6797674
Veritas NetBackup 6.0
Veritas NetBackup 6.5
Date of Resolved Release
Security Vulnerability in the VERITAS (Symantec) NetBackup network daemon may allow escalation of privileges:
A Security Vulnerability in the VERITAS (Symantec) NetBackup network daemon may allow an unprivileged local user to leverage the Veritas network daemon (vnetd) to gain elevated privileges on the system.
This issue is referenced in Symantec Security Advisory SYM09-002 at:
This issue can occur in the following releases:
Note 2: NetBackup 6.0 and earlier versions are not shipped for the x86 Platform.
Note 3: To determine if a system is running the 6.0 GA version or the 6.0 MP4 CD version, execute the following command:
$ pkgparam VRTSnetbp VERSIONThe 6.0 GA version responds with VERSION=6.0,REV=2005.09.07.19.13
The 6.0 MP4 CD version responds with VERSION=6.0,REV=2006.11.09.18.12
There are no predictable symptoms to indicate that the described issue has been exploited to gain elevated privileges.
Sites unable to update immediately to the recommended solution should restrict inbound access to the vnetd listening port (TCP/13724) on all systems. This may be done by using firewall applications on the affected systems. Please refer to the firewall documentation on how to setup the access authorizations. Normal operations should restrict client to client communications and allow master server to media server, media server to media server, and master/media server to client communications only.
As part of normal best practices, Symantec strongly recommends the following:
This issue is addressed in the following releases:
Patches 136859-01 and 136860-01 have identical binaries, with the only difference being the version of VRTSnetbp being patched. Only one of the patches will be applied to a NetBackup system based on the following:
Patch 136859-01 is applicable to VERITAS NetBackup 6.0 Product for GA, with version string VERSION=6.0,REV=2005.09.07.19.13.
Patch 136860-01 is applicable to VERITAS NetBackup 6.0 MP4 CD with version string VERSION=6.0,REV=2006.11.09.18.12.
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment