Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1717
Multiple vulnerabilities have been found in JP1/VERITAS
11 July 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Hitachi JP1/VERITAS NetBackup
Hitachi JP1/VERITAS Backup Exec
Publisher: Hitachi
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-8895 CVE-2017-8857 CVE-2017-8856
CVE-2017-6409 CVE-2017-6408 CVE-2017-6407
CVE-2017-6406 CVE-2017-6405 CVE-2017-6404
CVE-2017-6403 CVE-2017-6402 CVE-2017-6401
CVE-2017-6400 CVE-2017-6399
Original Bulletin:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-117/index.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Vulnerabilities in JP1/VERITAS
Update: July 10, 2017
Multiple vulnerabilities have been found in JP1/VERITAS.
Security Information ID
hitachi-sec-2017-117
Vulnerability description
Multiple vulnerabilities have been found in JP1/VERITAS.
VTS17-003: Multiple Vulnerabilities in Veritas NetBackup, NetBackup Appliance and Access (Display new window)
CVE ID: CVE-2017-6407
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
A local user on a NetBackup server can execute an arbitary command on the NetBackup server or cause the server to execute an arbitrary command on a connected NetBackup client. The command will execute with root/admin privileges.
CVE ID: CVE-2017-6400
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
A local user on a NetBackup server or client can execute an arbitrary command on the local system. The command will execute with root/admin privileges. This is a separate issue from Issue #1 described above.
CVE ID: CVE-2017-6402
Severity: Medium
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
An authenticated user that can communicate with the NetBackup server can cause a denial of service.
CVE ID: CVE-2017-6399
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
A local user on a NetBackup server can execute an arbitrary command on the NetBackup server or cause the server to execute an arbitrary command on a connected NetBackup client. The command will execute with root/admin privileges. This is a different issue from Issues #1 and #2 above.
CVE ID: CVE-2017-6406
Severity: Critical
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
NetBackup services can execute commands on the local system from a whitelist of directories. A local user can escape that whitelist by using one or more “../†as part of a path to execute any command on the system.
CVE ID: CVE-2017-6401
Severity: High
CVSS v3 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
bpcd runs as root/admin and can execute any NetBackup command. bpnbat can execute any command on the local system. If bpcd is used to execute bpnbat then in combination they can be used to execute any command on the system as root/admin.
CVE ID: CVE-2017-6405
Severity: Critical
CVSS v3 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
NetBackup relies on host names to ensure that it is communicating with the correct client or server. This is vulnerable to DNS spoofing.
CVE ID: CVE-2017-6408
Severity: High
CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
pbx_exchange creates sockets that any process can connect to and then changes the permissions so that only root processes can connect. In the time between creation and the permission change an unprivileged local process could connect to pbx_exchange and impersonate a legitimate component.
CVE ID: CVE-2017-6404
Severity: Low
CVSS v3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
If logging is enabled many of the log files used by NetBackup are world writable, allowing an attacker to corrupt those files.
CVE ID: CVE-2017-6404
Severity: Low
CVSS v3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
If logging is enabled many of the log files used by NetBackup are world writable, allowing an attacker to corrupt those files.
CVE ID: CVE-2017-6403
Severity: Critical
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
The NetBackup Cloud Storage Service connector uses a hardcoded username and password. An attacker using these credentials can query and modify the configuration and delete data.
CVE ID: CVE-2017-6409
Severity: Critical
CVSS v3 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Unauthenticated CORBA interfaces permit an attacker to affect the confidentiality, integrity and availability of NetBackup.
VTS17-004: Multiple Vulnerabilities in Veritas NetBackup and NetBackup Appliance (Display new window)
CVE ID: CVE-2017-8856
Severity: Critical
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The 'bprd' process on a master server allows unauthenticated, arbitrary remote command execution. This bypasses directory whitelisting, permitting any command on the system to be executed as root/administrator.
CVE ID: CVE-2017-8857
Severity: Critical
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
The 'bprd' process on a master server allows an unauthenticated user to copy any file to any other file on any NetBackup host in the master server domain. This file can then be executed as root/administrator.
VTS17-006: Use-After-Free Vulnerability in Multiple Veritas Backup Exec Agents (Display new window)
CVE ID: CVE-2017-8895
Severity: Critical
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
There is a use-after-free vulnerability in multiple Veritas Backup Exec agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.
Affected products and versions are listed below. Please upgrade your version to the appropriate version.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
Product name: JP1/VERITAS NetBackup 8.0
VERITAS product name: Veritas NetBackup 8.0
Version(s):
Windows, UNIX, Linux
8.0 (11-10 to 11-10-/A)
Product name: JP1/VERITAS NetBackup 7.7
VERITAS product name: Veritas NetBackup 7.7
Version(s):
Windows, UNIX, Linux
7.7.1 (11-00), 7.7.3 (11-01 to 11-01-/A)
Product name: JP1/VERITAS Backup Exec 15
VERITAS product name: Veritas Backup Exec 15
Version(s):
Windows, Linux
10-50 to 10-55
Product name: JP1/VERITAS Backup Exec 2014
VERITAS product name: Veritas Backup Exec 2014
Version(s):
Windows, Linux
10-10 to 10-13
Product name: JP1/VERITAS Backup Exec 2012
VERITAS product name: Veritas Backup Exec 2012
Version(s):
Windows, Linux
09-50 to 09-57
For details on the fixed products, contact your Hitachi support service representative.
Revision history
July 10, 2017
This page is released.
Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWWRGyYx+lLeg9Ub1AQgtyRAAjfR8uuvtIiIObDtOphIrFmcd4Q8bfEey
pubTxwPkwBa4Z5BM92iRKFvoS9e9pvoWGQpfICSYiZH8NF9uEcFhcaXTtHqfZ273
a4CnOWOXnRTpo8W/kGihL4lW3LH6cDPl3ToWHPv1baLJoSZJYBxT8t+5uuCCkLQp
DbDl3NlXv/Yfza1w8MHtrYpeuCd329oeY5VibznjO9ivH2qMYD41za/A2bn2/WeA
MLnmmMBmsN7jGRomTuDroX0MeU6Qcx7bjsscqSjBfSy65VDgbPSgzCwa6odnflGB
yOdEfPC9M14KPDKBp06LGfe3UMYCc/7tutMwJc5tPrIQ89A8BDUba/u5pfbuB+Dl
+39HV6rB98tamOG7BzI53iy3P3A8S5Ugkjze+uVV3G1DREE1QlGomjczTyhCBAyp
wDtP6a8ETHUrlNUppygWtKllHZAW4ZwTE3ZIKJD2cplJPeAUS0WVmXQEntvUVGKv
a8RZUE69pixIV0ZF+9aQTBQO/GuWmG1N/6kDf/7EXmwy/W+w4zHAfVWy30A1mZLA
lwjjy9QQYGRMDE0i3KEqGYXu/1fJ28lFHi/KHewRATfQWqpmL4S03TYDxvfxyNmj
4nNNgEFIf2ZP+scr55G8ijtPa7JoOGPUFcxu+mz1O07x02yTy7P/pGTEpcPVbmE9
XFBqjVXMqZk=
=FXQh
-----END PGP SIGNATURE-----