search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Veritas NetBackup "bpjava-susvc" process contains an input validation error

Vulnerability Note VU#685456

Original Release Date: 2005-01-18 | Last Revised: 2005-04-20

Overview

Veritas NetBackup Administrative Assistant interface may allow users to execute arbitrary commands with elevated privileges.

Description

The Veritas NetBackup Administrative Assistant interface (bpjava-susvc) contains an input validation vulnerability. According to Veritas Alert 271727 :

When the NetBackup Administrative Java GUI connects to a NetBackup server (either a master or media server) a process is started on the server called bpjava-susvc. A normal user with access to this server could send specially crafted commands to this process and have those commands executed with root authority.

It is also possible to exploit this issue if the Backup & Restore GUI is started as root.

The following NetBackup applications and versions are reported to be vulnerable:

    • NetBackup BusinesServer 3.4, 3.4.1, and 4.5
    • NetBackup DataCenter 3.4, 3.4.1, and 4.5
    • NetBackup Enterprise Server 5.1
    • NetBackup Server 5.0 and 5.1

Impact

If an attacker supplies a vulnerable NetBackup server with specially crafted commands, those commands may be executed with elevated (possibly root) privileges.

Solution

Apply Patch
According to Veritas Alert 271727 the following patches will correct this problem:

      • 4.5 Maintenance Pack 8 (MP8)
      • 4.5 Feature Pack 8 (FP8)
      • 5.0 Maintenance Pack 4 (MP4)
      • 5.1 Maintenance Pack 2 (MP2)
Upgrade

This issue will be fixed in Veritas NetBackup version 6.

Workaround


Enabling no call-back will correct this issue. To enable no call-back set the NBJAVA_CONNECT_OPTION to 1 in the NetBackup configuration file (nbj.conf on UNIX and .vrtsnbuj on Windows).

Veritas released the following examples to demonstrate how to set NBJAVA_CONNECT_OPTION to 1 on Windows and UNIX platforms:

Partial sample of a Windows <NB Installed location>\java\<host_name>.vrtsnbuf file:

    # Backslashes in the install path must be escaped.
    # An example: "C:\\Program Files\\VERITAS\\java"
    SET INSTALL_PATH=C:\\Program Files\\VERITAS\\\\Java
    SET SERVER_HOST=master.min.veritas.com
    SET NBJAVA_CONNECT_OPTION=1

Partial sample of a UNIX /usr/openv/java/nbj.conf file:
    # $Revision: 1.3 $
    #bcpyrght
    #***************************************************************************
    #* $VRTScprght: Copyright 1993 - 2003 VERITAS Software Corporation, All Rights Reserved $ *
    #***************************************************************************
    #ecpyrght

    BPJAVA_PORT=13722
    VNETD_PORT=13724
    NBJAVA_CONNECT_OPTION=1

Vendor Information

685456
 
Affected   Unknown   Unaffected

NEC Corporation

Updated:  April 20, 2005

Status

  Vulnerable

Vendor Statement

* VERITAS NetBackup

- is Vulnerable.
- For more detail.
http://www.sw.nec.co.jp/psirt/bnin2005.html#4 (only in Japanese).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.sw.nec.co.jp/psirt/bnin2005.html#4 (only in Japanese).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Veritas SOFTWARE

Updated:  January 17, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported in Veritas Alert 271727.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 3.65
Date Public: 2004-10-20
Date First Published: 2005-01-18
Date Last Updated: 2005-04-20 14:48 UTC
Document Revision: 54

Sponsored by CISA.