Veritas plugs a bunch of NetBackup vulns

Paranormal bugs in bprd

Whack-a-mole

Veritas has patched multiple remote code execution vulnerabilities in its NetBackup software and the appliance by the same name.

The vulnerabilities should be patched with this hotfix as soon as possible.

The affected versions are NetBackup 7.7.2, 7.7.3, and 8.0; and NetBackup Appliances 2.7.2, 2.7.3, and 3.0 (which is also available as a virtual appliance).

In all, five vulnerabilities were disclosed by Google Security's Sven Blumenstein and Xiaoran Wang.

The first is in NetBackup's bprd process, which has a command, C_PFI_ROTATION which is vulnerable to arbitrary command injection.

In the second, the nbbsdtar tar binary can be used to copy any file to a whitelisted directory, for privileged execution of any command.

Even with an added whitelist, the advisory explains, the binary's C_REMOTE_EXECUTE API “still provides access to over 600 (!) executable binaries. It is very likely that a number of these binaries can be leveraged to bypass the current security mechanisms and provide high risk attack vectors”.

We return to the bprd process for the third vuln: an attacker could send a crafted call to its C_REMOTE_WRITE call, to get full control over filename and content.

This cascades to introduce vulnerability number four: the bprd remote write call gets around NetBackup's directory whitelisting, because an attacker can add any path to the whitelist, and overwrite any path in the whitelist. This can be exploited for remote command execution.

Finally, there's a bypass for the DNS-based security function meant to limit the IP addresses that can call the API to localhost and known servers and clients, using a function called pbx_exchange. ®


Biting the hand that feeds IT © 1998–2017