__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Veritas NetBackup Administrative Java GUI (bpjava-susvc) Vulnerability [Veritas Document ID: 271727] January 19, 2005 19:00 GMT Number P-102 ______________________________________________________________________________ PROBLEM: A vulnerability was found when using the NetBackup Administrative Java GUI (bpjava-susvc). PLATFORM: NetBackup BusinesServer 3.4, 3.4.1, and 4.5 NetBackup DataCenter 3.4, 3.4.1, and 4.5 NetBackup Enterprise Server 5.1 NetBackup Server 5.0 and 5.1 DAMAGE: A vulnerability in the bpjava-susvc process may allow an authenticated user to execute arbitrary code with elevated privileges. SOLUTION: Apply the available patches or workaround. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user could send maliciously crafted ASSESSMENT: commands with root privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-102.shtml ORIGINAL BULLETIN: http://seer.support.veritas.com/docs/271727.htm ADDITIONAL LINK: US-CERT Vulnerability Note VU#685456 http://www.kb.cert.org/vuls/id/685456 ______________________________________________________________________________ [***** Start Veritas Document ID: 271727 *****] Document ID: 271727 http://support.veritas.com/docs/271727 E-Mail Colleague IconE-Mail this document to a colleague VERITAS NetBackup (tm) Java GUI is susceptible to an exploit which could allow a normal user to execute commands with root authority. Anyone who administers NetBackup via the Java GUI that does not use the work-around listed below could be potentially affected by this exploit. Details: When the NetBackup Administrative Java GUI connects to a NetBackup server (either a master or media server) a process is started on the server called bpjava-susvc. A normal user with access to this server could send specially crafted commands to this process and have those commands executed with root authority. It is also possible to exploit this issue if the Backup & Restore GUI is started as root. Currently, a work-around is available to circumvent this exploit by requiring bpjava-susvc to use the no call-back feature. To enable this feature, the NBJAVA_CONNECT_OPTION parameter must be set to 1 on the machine where the Administrative Java GUI is started. This parameter is located on UNIX platforms in /usr/openv/java/nbj.conf and on Windows platforms in \java\.vrtsnbuj. Partial sample of a Windows \java\.vrtsnbuj file: # Backslashes in the install path must be escaped. # An example: "C:\\Program Files\\VERITAS\\java" SET INSTALL_PATH=C:\\Program Files\\VERITAS\\\\Java SET SERVER_HOST=master.min.veritas.com SET NBJAVA_CONNECT_OPTION=1 Partial sample of a UNIX /usr/openv/java/nbj.conf file: # $Revision: 1.3 $ #bcpyrght #*************************************************************************** #* $VRTScprght: Copyright 1993 - 2003 VERITAS Software Corporation, All Rights Reserved $ * #*************************************************************************** #ecpyrght BPJAVA_PORT=13722 VNETD_PORT=13724 NBJAVA_CONNECT_OPTION=1 Formal Resolution: A permanent fix for this issue is scheduled to be released in NetBackup 6.0. The following upcoming NetBackup patches and beyond will be hard coded to use the NBJAVA_CONNECT_OPTION=1 regardless of the setting in the configuration file. 4.5 Maintenance Pack 8 (MP8) 4.5 Feature Pack 8 (FP8) 5.0 Maintenance Pack 4 (MP4) 5.1 Maintenance Pack 2 (MP2) As NetBackup 3.4 is now end-of-lifed, a patch will not be available for this version. The work-around listed above will not work for NetBackup 3.4, due to the fact that 3.4 does not contain vnetd. Note: The Administrative GUI is started via the command jnbSA, whereas the Backup & Restore GUI is started via the command jbpSA. If a user starts Administrative GUI but is not listed as an administrator in the auth.conf file, they will in effect get the Backup & Restore GUI. Both of the Java GUIS and vnetd are installed as part of the base NetBackup product starting with NetBackup 4.5. Until these Maintenance / Feature Packs are released, VERITAS highly recommends using the workaround described above, which will set bpjava-susvc to use the no call-back feature. If you have any questions in how to implement this workaround, or if you have questions about this issue, please do not hesitate to call VERITAS Technical Support. If you have not received this TechNote link via the VERITAS Email Notification Service for Software Alerts, please visit the following link to subscribe: http://maillist.support.veritas.com/subscribe.asp Products Applied: NetBackup BusinesServer 3.4, 3.4.1, 4.5, 4.5 (FP6), 4.5 (FP7), 4.5 (FP8) (Fixed), 4.5 (MP6), 4.5 (MP7), 4.5 (MP8) (Fixed) NetBackup DataCenter 3.4, 3.4.1, 4.5 NetBackup Enterprise Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP4 (Fixed), 5.1, 5.1 MP1, 5.1 MP2 (Fixed) NetBackup Server 5.0, 5.0 MP1, 5.0 MP2, 5.0 MP3, 5.0 MP4 (Fixed), 5.1, 5.1 MP1, 5.1 MP2 (Fixed) Last Updated: December 23 2004 02:38 PM GMT Expires on: 09-24-2005 Subscribe Via E-Mail IconSubscribe to this document Subjects: NetBackup BusinesServer Application: Alert Publishing Status: Techalert NetBackup DataCenter Application: Alert Publishing Status: Techalert NetBackup Enterprise Server Application: Alert Publishing Status: Techalert NetBackup Server Application: Alert Publishing Status: Techalert Languages: English (US) Operating Systems: Windows 2000 Advanced Server, Advanced Server SP1, Advanced Server SP2, Advanced Server SP3, Advanced Server SP4, Advanced Server Windows Powered, Advanced Server Windows Powered SP1, Advanced Server Windows Powered SP2, Advanced Server Windows Powered SP3, Advanced Server Windows Powered SP4, Datacenter Server, Datacenter Server SP1, Datacenter Server SP2, Datacenter Server SP3, Datacenter Server SP4, Professional, Professional SP1, Professional SP2, Professional SP3, Professional SP4, SAK, Server, Server SP1, Server SP2, Server SP3, Server SP4, Server Windows Powered, Server Windows Powered SP1, Server Windows Powered SP2, Server Windows Powered SP3, Server Windows Powered SP4 AIX 4.1, 4.2, 4.3, 5.1, 5.2, 5.3 TRU64 5.0, 5.1 HP-UX 10.2, 11.0, 11.11 Solaris 2.6, 7.0, 8.0, 9.0 Linux Advanced Server 2.1, Debian GNU Linux 3.0, Debian GNU/Linux 2.1, Debian GNU/Linux 2.2r4, Kernel 2.0.36, RedHat 5.2, RedHat 6.0, RedHat 6.1, RedHat 6.2, RedHat 6.x, RedHat 7.0, RedHat 7.1, RedHat 7.1 errata, RedHat 7.2, RedHat 7.2 (zSeries), RedHat 7.2 errata, RedHat 7.3, RedHat 7.x, RedHat Advanced Server 2.1, RedHat ES 2.1 (Workstation), RedHat Enterprise Linux (ES) 3.0 (zSeries), RedHat Enterprise Linux 3.0 (AS, ES, WS), RedHat Enterprise Linux 3.0 U2 (AS, ES, WS), RedHat Enterprise Server 2.1 (AS, ES, WS) Windows Server 2003 DataCenter, DataCenter 64-bit, Enterprise 64-bit, Enterprise Server, Standard Server, Storage Server, Web Server Citrix MetaFrame 1.8, XPe [***** End Veritas Document ID: 271727 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Veritas for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-092: kdelibs -- Unsanitised Input P-093: HTML Help ActiveX Control Cross Domain Vulnerability P-094: Microsoft Vulnerability in Cursor and Icon Format Handling P-095: Microsoft Vulnerability in the Indexing Service P-096: Sun SMC Default Configuration GUI Creates User Accounts with Blank Password Instead of Locked Accounts P-097: Debian Exim Buffer Overflow P-098: Updated Mozilla Packages Fix a Buffer Overflow P-099: Apple iTunes Buffer Overflow P-100: Oracle Critical Patch Update P-101: Updated Linux Kernel Packages