|
[Veritas-bu] VERITAS NetBackup Volume Manager Daemon Buffer Overflow Vulnerability
2006-01-17 08:29:39
|
Subject: |
[Veritas-bu] VERITAS NetBackup Volume Manager Daemon Buffer Overflow Vulnerability |
|
From: |
steve_cashman AT symantec DOT com (Steven Cashman) |
|
Date: |
Tue, 17 Jan 2006 07:29:39 -0600 |
This is a multi-part message in MIME format.
------_=_NextPart_001_01C61B6A.11141A32
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
VERITAS NetBackup Volume Manager Daemon Buffer Overflow Vulnerability
Bugtraq ID 15353
CVE CVE-2005-3116
Published Nov 8 2005
Last Update 1/16/2006 2:38:35 PM GMT
Remote Yes
Local No
Credibility Vendor Confirmed
Classification Boundary Condition Error
Ease Exploit Available
Availability Always
Authentication Not Required
Impact 10 Severity 10 Urgency Rating 9.6
Last Change Exploit code released; Urgency raised.
Vulnerable Systems
- ------------------
Veritas Software NetBackup Client 5.0.0
Veritas Software NetBackup Client 5.1.0
Veritas Software NetBackup Enterprise Server 5.0.0
Veritas Software NetBackup Enterprise Server 5.1.0
Veritas Software NetBackup Server 5.0.0
Veritas Software NetBackup Server 5.1.0
Short Summary
- -------------
VERITAS NetBackup is prone to a buffer overflow in the Volume Manager
Daemon; arbitrary code execution may be possible.
Impact
- ------
A remote attacker could cause the application to fail or execute
arbitrary code.
Technical Description
- ---------------------
VERITAS NetBackup is a network enabled backup solution from VERITAS. It
is available for various platforms.
The NetBackup Volume Manager Daemon (vmd) is prone to a buffer overflow
in a shared library used by the daemon. Other daemons that utilize the
affected shared library may also expose this vulnerability.
Successful exploitation of this issue could cause a denial of service
that could disrupt backup operations or lead to arbitrary code execution
in the context of the daemon.
This issue only affects NetBackup 5.0 and 5.1.
Attack Scenarios
- ----------------
A remote attacker locates a vulnerable NetBackup daemon that calls the
affected library in an insecure way. The attacker crafts an exploit
designed to trigger this issue, including return addresses and machine
code.
The attacker sends the malformed data to the daemon, causing an internal
buffer to be overrun. This allows the attacker-supplied code to be
executed in the security context of the vulnerable daemon.
Exploits
- --------
Exploit code has been released by Patrick Thomassen.
http://www.securityfocus.com/data/vulnerabilities/exploits/netbackup-exp
loit.c
<http://www.securityfocus.com/data/vulnerabilities/exploits/netbackup-ex
ploit.c>=20
Mitigating Strategies
- ---------------------
Block external access at the network boundary, unless service is
required
by external parties.
Restrict access to the affected service at the network perimeter. Grant
access for trusted hosts and networks only.
Deploy network intrusion detection systems to monitor network traffic
for
malicious activity.
Deploy a network intrusion detection sensor between the computer that is
hosting the vulnerable service and the network perimeter. Flag on all
anomalous communications that are destined for the vulnerable service.
Audit logs regularly for indications of potential attacks.
Implement multiple redundant layers of security.
An attacker''s ability to exploit this vulnerability to execute
arbitrary
code may be hindered through the use of various memory protection
schemes. Where possible, implement the use of non-executable and
randomly
mapped memory segments.
Run all software as a non-privileged user with minimal access rights.
If possible, running the affected service as a user with least possible
privileges may help mitigate the impact of a successful attack.
Solutions
- ---------
Fixes are available:
VERITAS Software Patch Cumulative Security Pack NB_50_5S2
http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm
<http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm>=20
Veritas Software NetBackup Enterprise Server 5.0.0
Veritas Software NetBackup Client 5.0.0
Veritas Software NetBackup Server 5.0.0
VERITAS Software Patch Cumulative Security Pack NB_51_3AS2
http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm
<http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm>=20
Veritas Software NetBackup Enterprise Server 5.1.0
Veritas Software NetBackup Client 5.1.0
Veritas Software NetBackup Server 5.1.0
=20
This issue is also adressed in 5.1MP4
=20
Hope that helps
_____ =20
From: veritas-bu-admin AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-admin AT mailman.eng.auburn DOT edu] On Behalf Of Piszcz,
Justin
Sent: Tuesday, January 17, 2006 6:03 AM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: [Veritas-bu] VERITAS NetBackup Volume Manager Daemon Buffer
Overflow Vulnerability
http://www.securityfocus.com/bid/15353
=20
Is there a patch available yet?
=20
Thanks,
=20
Justin.
------_=_NextPart_001_01C61B6A.11141A32
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40"; xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV dir=3Dltr align=3Dleft>VERITAS NetBackup Volume Manager Daemon =
Buffer Overflow=20
Vulnerability<BR>Bugtraq ID 15353<BR>CVE CVE-2005-3116<BR>Published Nov =
8=20
2005<BR>Last Update 1/16/2006 2:38:35 PM GMT<BR>Remote Yes<BR>Local=20
No<BR>Credibility Vendor Confirmed<BR>Classification Boundary Condition=20
Error<BR>Ease Exploit Available<BR>Availability Always<BR>Authentication =
Not=20
Required<BR><BR>Impact 10 Severity 10 Urgency Rating 9.6<BR><BR>Last =
Change=20
Exploit code released; Urgency raised.<BR><BR>Vulnerable Systems<BR>-=20
------------------<BR>Veritas Software NetBackup Client 5.0.0<BR>Veritas =
Software NetBackup Client 5.1.0<BR>Veritas Software NetBackup Enterprise =
Server=20
5.0.0<BR>Veritas Software NetBackup Enterprise Server 5.1.0<BR>Veritas =
Software=20
NetBackup Server 5.0.0<BR>Veritas Software NetBackup Server =
5.1.0<BR><BR>Short=20
Summary<BR>- -------------<BR>VERITAS NetBackup is prone to a buffer =
overflow in=20
the Volume Manager<BR>Daemon; arbitrary code execution may be=20
possible.<BR><BR>Impact<BR>- ------<BR>A remote attacker could cause the =
application to fail or execute<BR>arbitrary code.<BR><BR>Technical=20
Description<BR>- ---------------------<BR>VERITAS NetBackup is a network =
enabled=20
backup solution from VERITAS. It<BR>is available for various=20
platforms.<BR><BR>The NetBackup Volume Manager Daemon (vmd) is prone to =
a buffer=20
overflow<BR>in a shared library used by the daemon. Other daemons that =
utilize=20
the<BR>affected shared library may also expose this=20
vulnerability.<BR><BR>Successful exploitation of this issue could cause =
a denial=20
of service<BR>that could disrupt backup operations or lead to arbitrary =
code=20
execution<BR>in the context of the daemon.<BR><BR>This issue only =
affects=20
NetBackup 5.0 and 5.1.<BR><BR>Attack Scenarios<BR>- =
----------------<BR>A remote=20
attacker locates a vulnerable NetBackup daemon that calls =
the<BR>affected=20
library in an insecure way. The attacker crafts an exploit<BR>designed =
to=20
trigger this issue, including return addresses and =
machine<BR>code.<BR><BR>The=20
attacker sends the malformed data to the daemon, causing an =
internal<BR>buffer=20
to be overrun. This allows the attacker-supplied code to be<BR>executed =
in the=20
security context of the vulnerable daemon.<BR><BR>Exploits<BR>-=20
--------<BR>Exploit code has been released by Patrick =
Thomassen.<BR><BR><BR><A=20
title=3Dhttp://www.securityfocus.com/data/vulnerabilities/exploits/netbac=
kup-exploit.c=20
href=3D"http://www.securityfocus.com/data/vulnerabilities/exploits/netbac=
kup-exploit.c"><U=20
title=3Dhttp://www.securityfocus.com/data/vulnerabilities/exploits/netbac=
kup-exploit.c><FONT=20
title=3Dhttp://www.securityfocus.com/data/vulnerabilities/exploits/netbac=
kup-exploit.c=20
face=3D"Times New Roman"=20
color=3D#0000ff>http://www.securityfocus.com/data/vulnerabilities/exploit=
s/netbackup-exploit.c</FONT></U></A><BR><BR><FONT=20
face=3D"Times New Roman">Mitigating Strategies<BR>- =
---------------------<BR>Block=20
external access at the network boundary, unless service is =
required<BR>by=20
external parties.<BR>Restrict access to the affected service at the =
network=20
perimeter. Grant<BR>access for trusted hosts and networks =
only.<BR><BR>Deploy=20
network intrusion detection systems to monitor network traffic =
for<BR>malicious=20
activity.<BR>Deploy a network intrusion detection sensor between the =
computer=20
that is<BR>hosting the vulnerable service and the network perimeter. =
Flag on=20
all<BR>anomalous communications that are destined for the vulnerable=20
service.<BR>Audit logs regularly for indications of potential=20
attacks.<BR><BR>Implement multiple redundant layers of security.<BR>An=20
attacker''s ability to exploit this vulnerability to execute =
arbitrary<BR>code=20
may be hindered through the use of various memory protection<BR>schemes. =
Where=20
possible, implement the use of non-executable and randomly<BR>mapped =
memory=20
segments.<BR><BR>Run all software as a non-privileged user with minimal =
access=20
rights.<BR>If possible, running the affected service as a user with =
least=20
possible<BR>privileges may help mitigate the impact of a successful=20
attack.<BR><BR><BR>Solutions<BR>- ---------<BR>Fixes are=20
available:<BR><BR><BR>VERITAS Software Patch Cumulative Security Pack=20
NB_50_5S2<BR></FONT><A=20
title=3Dhttp://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm=20
href=3D"http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm"><U=20
title=3Dhttp://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm><FONT=20
title=3Dhttp://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm=20
face=3D"Times New Roman"=20
color=3D#0000ff>http://support.veritas.com/menu_ddProduct_NBUESVR_view_DO=
WNLOAD.htm</FONT></U></A><BR><FONT=20
face=3D"Times New Roman">Veritas Software NetBackup Enterprise Server=20
5.0.0<BR>Veritas Software NetBackup Client 5.0.0<BR>Veritas Software =
NetBackup=20
Server 5.0.0<BR><BR>VERITAS Software Patch Cumulative Security Pack=20
NB_51_3AS2<BR></FONT><A=20
title=3Dhttp://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm=20
href=3D"http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm"><U=20
title=3Dhttp://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm><FONT=20
title=3Dhttp://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.h=
tm=20
face=3D"Times New Roman"=20
color=3D#0000ff>http://support.veritas.com/menu_ddProduct_NBUESVR_view_DO=
WNLOAD.htm</FONT></U></A><BR><FONT=20
face=3D"Times New Roman">Veritas Software NetBackup Enterprise Server=20
5.1.0<BR>Veritas Software NetBackup Client 5.1.0<BR>Veritas Software =
NetBackup=20
Server 5.1.0</FONT></DIV>
<DIV dir=3Dltr align=3Dleft> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D105552813-17012006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>This issue is also adressed in =
5.1MP4</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D105552813-17012006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D105552813-17012006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Hope that helps</FONT></SPAN></DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> =
veritas-bu-admin AT mailman.eng.auburn DOT edu=20
[mailto:veritas-bu-admin AT mailman.eng.auburn DOT edu] <B>On Behalf Of =
</B>Piszcz,=20
Justin<BR><B>Sent:</B> Tuesday, January 17, 2006 6:03 AM<BR><B>To:</B>=20
veritas-bu AT mailman.eng.auburn DOT edu<BR><B>Subject:</B> [Veritas-bu] =
VERITAS=20
NetBackup Volume Manager Daemon Buffer Overflow=20
Vulnerability<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"><A=20
href=3D"http://www.securityfocus.com/bid/15353";>http://www.securityfocus.=
com/bid/15353</A><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Is there a patch available =
yet?<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Thanks,<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Justin.<o:p></o:p></SPAN></FONT></P></DIV></BODY></HTML>
------_=_NextPart_001_01C61B6A.11141A32--
|
|
|
