Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1717 Multiple vulnerabilities have been found in JP1/VERITAS 11 July 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Hitachi JP1/VERITAS NetBackup Hitachi JP1/VERITAS Backup Exec Publisher: Hitachi Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-8895 CVE-2017-8857 CVE-2017-8856 CVE-2017-6409 CVE-2017-6408 CVE-2017-6407 CVE-2017-6406 CVE-2017-6405 CVE-2017-6404 CVE-2017-6403 CVE-2017-6402 CVE-2017-6401 CVE-2017-6400 CVE-2017-6399 Original Bulletin: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-117/index.html - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple Vulnerabilities in JP1/VERITAS Update: July 10, 2017 Multiple vulnerabilities have been found in JP1/VERITAS. Security Information ID hitachi-sec-2017-117 Vulnerability description Multiple vulnerabilities have been found in JP1/VERITAS. VTS17-003: Multiple Vulnerabilities in Veritas NetBackup, NetBackup Appliance and Access (Display new window) CVE ID: CVE-2017-6407 Severity: Critical CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) A local user on a NetBackup server can execute an arbitary command on the NetBackup server or cause the server to execute an arbitrary command on a connected NetBackup client. The command will execute with root/admin privileges. CVE ID: CVE-2017-6400 Severity: Critical CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) A local user on a NetBackup server or client can execute an arbitrary command on the local system. The command will execute with root/admin privileges. This is a separate issue from Issue #1 described above. CVE ID: CVE-2017-6402 Severity: Medium CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) An authenticated user that can communicate with the NetBackup server can cause a denial of service. CVE ID: CVE-2017-6399 Severity: Critical CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) A local user on a NetBackup server can execute an arbitrary command on the NetBackup server or cause the server to execute an arbitrary command on a connected NetBackup client. The command will execute with root/admin privileges. This is a different issue from Issues #1 and #2 above. CVE ID: CVE-2017-6406 Severity: Critical CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) NetBackup services can execute commands on the local system from a whitelist of directories. A local user can escape that whitelist by using one or more “../†as part of a path to execute any command on the system. CVE ID: CVE-2017-6401 Severity: High CVSS v3 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) bpcd runs as root/admin and can execute any NetBackup command. bpnbat can execute any command on the local system. If bpcd is used to execute bpnbat then in combination they can be used to execute any command on the system as root/admin. CVE ID: CVE-2017-6405 Severity: Critical CVSS v3 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) NetBackup relies on host names to ensure that it is communicating with the correct client or server. This is vulnerable to DNS spoofing. CVE ID: CVE-2017-6408 Severity: High CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) pbx_exchange creates sockets that any process can connect to and then changes the permissions so that only root processes can connect. In the time between creation and the permission change an unprivileged local process could connect to pbx_exchange and impersonate a legitimate component. CVE ID: CVE-2017-6404 Severity: Low CVSS v3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) If logging is enabled many of the log files used by NetBackup are world writable, allowing an attacker to corrupt those files. CVE ID: CVE-2017-6404 Severity: Low CVSS v3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) If logging is enabled many of the log files used by NetBackup are world writable, allowing an attacker to corrupt those files. CVE ID: CVE-2017-6403 Severity: Critical CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) The NetBackup Cloud Storage Service connector uses a hardcoded username and password. An attacker using these credentials can query and modify the configuration and delete data. CVE ID: CVE-2017-6409 Severity: Critical CVSS v3 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) Unauthenticated CORBA interfaces permit an attacker to affect the confidentiality, integrity and availability of NetBackup. VTS17-004: Multiple Vulnerabilities in Veritas NetBackup and NetBackup Appliance (Display new window) CVE ID: CVE-2017-8856 Severity: Critical CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) The 'bprd' process on a master server allows unauthenticated, arbitrary remote command execution. This bypasses directory whitelisting, permitting any command on the system to be executed as root/administrator. CVE ID: CVE-2017-8857 Severity: Critical CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) The 'bprd' process on a master server allows an unauthenticated user to copy any file to any other file on any NetBackup host in the master server domain. This file can then be executed as root/administrator. VTS17-006: Use-After-Free Vulnerability in Multiple Veritas Backup Exec Agents (Display new window) CVE ID: CVE-2017-8895 Severity: Critical CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) There is a use-after-free vulnerability in multiple Veritas Backup Exec agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on. Affected products and versions are listed below. Please upgrade your version to the appropriate version. Affected products The information is organized under the following headings: (Example) Product name: Gives the name of the affected product. Version: Platform Gives the affected version. Product name: JP1/VERITAS NetBackup 8.0 VERITAS product name: Veritas NetBackup 8.0 Version(s): Windows, UNIX, Linux 8.0 (11-10 to 11-10-/A) Product name: JP1/VERITAS NetBackup 7.7 VERITAS product name: Veritas NetBackup 7.7 Version(s): Windows, UNIX, Linux 7.7.1 (11-00), 7.7.3 (11-01 to 11-01-/A) Product name: JP1/VERITAS Backup Exec 15 VERITAS product name: Veritas Backup Exec 15 Version(s): Windows, Linux 10-50 to 10-55 Product name: JP1/VERITAS Backup Exec 2014 VERITAS product name: Veritas Backup Exec 2014 Version(s): Windows, Linux 10-10 to 10-13 Product name: JP1/VERITAS Backup Exec 2012 VERITAS product name: Veritas Backup Exec 2012 Version(s): Windows, Linux 09-50 to 09-57 For details on the fixed products, contact your Hitachi support service representative. Revision history July 10, 2017 This page is released. Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information. The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers. The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself. The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWWRGyYx+lLeg9Ub1AQgtyRAAjfR8uuvtIiIObDtOphIrFmcd4Q8bfEey pubTxwPkwBa4Z5BM92iRKFvoS9e9pvoWGQpfICSYiZH8NF9uEcFhcaXTtHqfZ273 a4CnOWOXnRTpo8W/kGihL4lW3LH6cDPl3ToWHPv1baLJoSZJYBxT8t+5uuCCkLQp DbDl3NlXv/Yfza1w8MHtrYpeuCd329oeY5VibznjO9ivH2qMYD41za/A2bn2/WeA MLnmmMBmsN7jGRomTuDroX0MeU6Qcx7bjsscqSjBfSy65VDgbPSgzCwa6odnflGB yOdEfPC9M14KPDKBp06LGfe3UMYCc/7tutMwJc5tPrIQ89A8BDUba/u5pfbuB+Dl +39HV6rB98tamOG7BzI53iy3P3A8S5Ugkjze+uVV3G1DREE1QlGomjczTyhCBAyp wDtP6a8ETHUrlNUppygWtKllHZAW4ZwTE3ZIKJD2cplJPeAUS0WVmXQEntvUVGKv a8RZUE69pixIV0ZF+9aQTBQO/GuWmG1N/6kDf/7EXmwy/W+w4zHAfVWy30A1mZLA lwjjy9QQYGRMDE0i3KEqGYXu/1fJ28lFHi/KHewRATfQWqpmL4S03TYDxvfxyNmj 4nNNgEFIf2ZP+scr55G8ijtPa7JoOGPUFcxu+mz1O07x02yTy7P/pGTEpcPVbmE9 XFBqjVXMqZk= =FXQh -----END PGP SIGNATURE-----