Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0587 -- [Win][Linux][NetWare] Symantec NetBackup PureDisk: Non-Privileged User Authentication Bypass 17 August 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Veritas NetBackup PureDisk Remote Office Edition 6.0 Publisher: Symantec Operating System: Windows Linux variants NetWare Impact: Administrative Compromise Access: Remote/Unauthenticated Original Bulletin: http://www.symantec.com/avcenter/security/Content/2006.08.16.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Symantec Security Advisory SYM06-015 16 August 2006 Symantec NetBackup PureDisk: Non-Privileged User Authentication Bypass Elevation of Privilege Revision History None Severity Medium (highly dependent on network configuration) Remote Access Yes Local Access No Authentication Required Yes (to network) Exploit publicly available No Overview Symantec discovered a security issue in Symantec's Veritas NetBackup 6.0 PureDisk Remote Office Edition. An unauthorized user with access to the network and the server hosting the management interface can potentially bypass the management interface authentication to gain access and elevate their privileges on the system. Supported Product(s) Affected Product: Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms) Version: 6.0 Builds: GA, MP1 Solution: NB_PDE_60_MP1_P01 NOTE: For systems running NetBackup 6.0 GA PureDisk Remote Office Edition it will be necessary to install Maintenance Pack 1 prior to applying this Security Pack. This issue ONLY affects the product and versions listed above. Details An internal review revealed a potential elevation of privilege issue in the Symantec Veritas NetBackup PureDisk management interface. The management interface is accessible only through an SSL web connection by default. However it is possible for a non-privileged user with access to the network and the server hosting the Symantec Veritas NetBackup PureDisk management interface, to bypass the management interface authentication and further leverage their access to elevate privileged access on the server. Symantec Response Symantec engineers have addressed the issues identified above and made Security updates available. Symantec strongly recommends all customers apply the latest security update to protect against threats of this nature. Symantec knows of no exploitation of or adverse customer impact from these issues. The patches listed above for affected products are available through the following location: http://support.veritas.com/docs/284734 for Symantec Veritas NetBackup PureDisk Remote Office Edition. Best Practices As part of normal best practices, Symantec recommends: - - - Restrict access to administration or management systems to authorized privileged users only - - - Block remote access to all ports not essential for efficient operation - - - Restrict remote access, if required, to trusted/authorized systems only - - - Remove/disable unnecessary accounts or restrict access according to security policy as required - - - Run under the principle of least privilege where possible - - - Keep all operating systems and applications updated with the latest vendor patches - - - Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats - - - Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latest vulnerabilities CVE A CVE Candidate name is being requested from the Common Vulnerabilities and Exposures (CVE) initiative for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRON2CBy6+gFWHby+AQhJAwf/dXuTHhkFJ+cqnVxFiDaBdpH0zkrb0zDU H9d6txyy7kiFa8D8Ul2bVHT0fARLmkiCzOrdkOKujV/cIgORSGm5MaghJpOnz6mB /eM7G/iv2AWfxjHVByDrWxnDP3+MQIBCLH+oix5TthcipHLOONoEK2NowJm/idoa rkyDIzDLbx9zzikD89BwIn2BiR0DZFm8wpF4D3X0PTQFsh/klfy39LOjQgM/HDZN mrNL9OQyTjif+L9SkGKGHgOavTOrVwZqn52u7a2D/RHTy7iWuFNpy1Md8yLa/hZg Yhb3CLAHwAPFHz1d86rWscsu3ERLdGaKjgxoWFlKyKSVfaXGIxxzeA== =+N1w - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBROO7Uyh9+71yA2DNAQKvSAP/Y2+vlzkBbe2JW55PDnHj7fQ4tQqo4wCQ 6ERXIxt4iPUIxLq2Gfw+tol/kd0/JNy3+r5GVxTm9XZTouZFzELyrUXCnq9/qjMg cH+r/wtDMXkbRnOI027lUIl147KLpBl0rybCJZDk6tcl0tzewDrNk4tLGY8eQx01 qOzjLXZvmX4= =1hGv -----END PGP SIGNATURE-----