This article is more than 1 year old
Veritas plugs a bunch of NetBackup vulns
Paranormal bugs in bprd
Veritas has patched multiple remote code execution vulnerabilities in its NetBackup software and the appliance by the same name.
The vulnerabilities should be patched with this hotfix as soon as possible.
The affected versions are NetBackup 7.7.2, 7.7.3, and 8.0; and NetBackup Appliances 2.7.2, 2.7.3, and 3.0 (which is also available as a virtual appliance).
In all, five vulnerabilities were disclosed by Google Security's Sven Blumenstein and Xiaoran Wang.
The first is in NetBackup's bprd
process, which has a command, C_PFI_ROTATION
which is vulnerable to arbitrary command injection.
In the second, the nbbsdtar
tar binary can be used to copy any file to a whitelisted directory, for privileged execution of any command.
Even with an added whitelist, the advisory explains, the binary's C_REMOTE_EXECUTE
API “still provides access to over 600 (!) executable binaries. It is very likely that a number of these binaries can be leveraged to bypass the current security mechanisms and provide high risk attack vectors”.
We return to the bprd
process for the third vuln: an attacker could send a crafted call to its C_REMOTE_WRITE
call, to get full control over filename and content.
This cascades to introduce vulnerability number four: the bprd remote write call gets around NetBackup's directory whitelisting, because an attacker can add any path to the whitelist, and overwrite any path in the whitelist. This can be exploited for remote command execution.
Finally, there's a bypass for the DNS-based security function meant to limit the IP addresses that can call the API to localhost and known servers and clients, using a function called pbx_exchange
. ®