__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN VERITAS NetBackup (tm) Java GUI Vulnerability [Document ID: 271727] October 22, 2004 18:00 GMT Number P-020 ______________________________________________________________________________ PROBLEM: Veritas NetBackup privilege escalation vulnerability. PLATFORM: Only when the Java GUI for remote administrator is enabled: Veritas Software NetBackup BusinessServer 3.4.0 Veritas Software NetBackup BusinessServer 3.4.1 Veritas Software NetBackup BusinessServer 4.5.0 Veritas Software NetBackup DataCenter 3.4.0 Veritas Software NetBackup DataCenter 3.4.1 Veritas Software NetBackup DataCenter 4.5.0 Veritas Software NetBackup Enterprise Server 5.1.0 Veritas Software NetBackup Server 5.0.0 Veritas Software NetBackup Server 5.1.0 DAMAGE: When the NetBackup Java GUI connects to a server, a process is started on the server called bpjava-susvc. A normal user with access to this server could send specially crafted commands to this process and have those commands executed with root authority. SOLUTION: Currently, a work-around is available to circumvent this exploit by requiring bpjava-susvc to use the no call-back features. Please go to http://seer.support.veritas.com/docs/271727.htm for this work-around. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A normal user can get root access on the ASSESSMENT: server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-020.shtml ORIGINAL BULLETIN: http://seer.support.veritas.com/docs/271727.htm ______________________________________________________________________________ [***** Start Document ID: 271727 *****] Document ID: 271727 http://support.veritas.com/docs/271727 VERITAS NetBackup (tm) Java GUI is susceptible to an exploit which could allow a normal user to execute commands with root authority. Anyone who administers NetBackup via the Java GUI that does not use the work-around listed below could be potentially affected by this exploit. -------------------------------------------------------------------------------- Details: When the NetBackup Java GUI connects to a server, a process is started on the server called bpjava-susvc. A normal user with access to this server could send specially crafted commands to this process and have those commands executed with root authority. Currently, a work-around is available to circumvent this exploit by requiring bpjava-susvc to use the no call-back feature. To enable this feature, the NBJAVA_CONNECT_OPTION parameter must be set to 1 on the machine where the Java GUI is started. This parameter is located on UNIX platforms in /usr/openv/java/nbj.conf and on Windows platforms in \java\.vrtsnbuj. Partial sample of a Windows \java\.vrtsnbuf file: # Backslashes in the install path must be escaped. # An example: "C:\\Program Files\\VERITAS\\java" SET INSTALL_PATH=C:\\Program Files\\VERITAS\\\\Java SET SERVER_HOST=master.min.veritas.com SET NBJAVA_CONNECT_OPTION=1 Partial sample of a UNIX /usr/openv/java/nbj.conf file: # $Revision: 1.3 $ #bcpyrght #*************************************************************************** #* $VRTScprght: Copyright 1993 - 2003 VERITAS Software Corporation, All Rights Reserved $ * #*************************************************************************** #ecpyrght BPJAVA_PORT=13722 VNETD_PORT=13724 NBJAVA_CONNECT_OPTION=1 Formal Resolution: A permanent fix for this issue is scheduled to be released in NetBackup 6.0. The following upcoming NetBackup patches and beyond will be hard coded to use the NBJAVA_CONNECT_OPTION=1 regardless of the setting in the configuration file. 4.5 Maintenance Pack 8 (MP8) 4.5 Feature Pack 8 (FP8) 5.0 Maintenance Pack 4 (MP4) 5.1 Maintenance Pack 2 (MP2) As NetBackup 3.4 is now end-of-lifed, a patch will not be available for this version. Until these Maintenance / Feature Packs are released, VERITAS highly recommends using the workaround described above, which will set bpjava-susvc to use the no call-back feature. If you have any questions in how to implement this workaround, or if you have questions about this issue, please do not hesitate to call VERITAS Technical Support. -------------------------------------------------------------------------------- Products Applied: NetBackup BusinesServer 3.4, 3.4.1, 4.5 NetBackup DataCenter 3.4, 3.4.1, 4.5 NetBackup Enterprise Server 5.1 NetBackup Server 5.0, 5.1 Last Updated: October 20 2004 07:03 PM GMT Expires on: 09-24-2005 Subscribe to this document Subjects: NetBackup BusinesServer Application: Alert Publishing Status: Techalert NetBackup DataCenter Application: Alert Publishing Status: Techalert NetBackup Enterprise Server Application: Alert Publishing Status: Techalert NetBackup Server Application: Alert Publishing Status: Techalert Languages: English (US) Operating Systems: Windows 2000 Advanced Server, Advanced Server SP1, Advanced Server SP2, Advanced Server SP3, Advanced Server SP4, Advanced Server Windows Powered, Advanced Server Windows Powered SP1, Advanced Server Windows Powered SP2, Advanced Server Windows Powered SP3, Advanced Server Windows Powered SP4, Citrix MetaFrame 1.8, Citrix MetaFrame XPe, Datacenter Server, Datacenter Server SP1, Datacenter Server SP2, Datacenter Server SP3, Datacenter Server SP4, Professional, Professional SP1, Professional SP2, Professional SP3, Professional SP4, SAK, Server, Server 5.00.2195, Server SP1, Server SP2, Server SP3, Server SP4, Server Windows Powered, Server Windows Powered SP1, Server Windows Powered SP2, Server Windows Powered SP3, Server Windows Powered SP4 AIX 4.1, 4.2, 4.3, 5.1, 5.2, 5.3 TRU64 5.0, 5.1 HP-UX 10.20, 11.0, 11.11 Solaris 2.6, 7.0, 8.0, 9.0 Linux Advanced Server 2.1, Debian GNU Linux 3.0, Debian GNU/Linux 2.1, Debian GNU/Linux 2.2r4, Kernel 2.0.36, RedHat 5.2, RedHat 6.0, RedHat 6.1, RedHat 6.2, RedHat 6.x, RedHat 7.0, RedHat 7.1, RedHat 7.1 errata, RedHat 7.2, RedHat 7.2 (zSeries), RedHat 7.2 errata, RedHat 7.3, RedHat 7.x, RedHat Advanced Server 2.1, RedHat ES 2.1 (Workstation), RedHat Enterprise Linux (ES) 3.0 (zSeries), RedHat Enterprise Linux 3.0 (AS, ES, WS), RedHat Enterprise Linux 3.0 U2 (AS, ES, WS), RedHat Enterprise Server 2.1 (AS, ES, WS) Windows Server 2003 DataCenter, DataCenter 64-bit, Enterprise 64-bit, Enterprise Server, Standard Server [***** End Document ID: 271727 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of VERITAS for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-010: Microsoft Compressed (Zipped) Folders Vulnerability P-011: Microsoft Vulnerability in NetDDE Could Allow Remote Code Execution (841533) P-012: Microsoft Vulnerability in NNTP Could Allow Remote Code Execution (883935) P-013: Macromedia JRun Server Vulnerabilities P-014: CUPS Information Leak P-015: Libtiff Vulnerabilities P-016: Sun FTP Daemon of Heimdal is Vulnerable to Race Conditions P-017: Sun Security Vulnerability When Using LDAP in Conjunction with RBAC P-018: Red Hat Update MySQL Packages Fix Security Issues and Bugs P-019: Red Hat Updated CUPS Packages Fix Security Issues