www.veritas.com
Open in
urlscan Pro
104.109.64.148
Public Scan
URL:
https://www.veritas.com/content/support/en_US/security/VTS16-001.html'
Submission: On January 20 via api from IN — Scanned from DE
Submission: On January 20 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
javascript:;
<form id="form_SignIn" action="javascript:;">
<div class="row">
<div class="col-12 errcl">
<div class="alert alert-danger error-signin" role="alert" id="loginerror"> Sign in failed. Please try again. </div>
</div>
<div class="col-12">
<!-- Username -->
<div class="md-form mt-3">
<input type="text" id="signIn_Username" name="signIn_Username" class="form-control" placeholder=" ">
<label for="signIn_Username" class="active">Username</label>
</div>
</div>
<div class="col-12">
<!-- Password -->
<div class="md-form mt-3">
<input type="password" id="signIn_Password" name="signIn_Password" class="form-control mb-0" placeholder=" " autocomplete="off">
<label for="signIn_Password" class="active">Password</label>
<a href="https://www.veritas.com/support/en/reset_password?returnURL=https://www.veritas.com/support/en"><small class="form-text">Forgot Password</small></a>
</div>
</div>
<div class="col-12">
<div class="custom-control custom-checkbox mb-5 pl-0">
<input type="checkbox" class="form-check-input filled-in" id="check_RememberMe" name="check_RememberMe">
<label class="custom-control-label" for="check_RememberMe">Remember me</label>
</div>
</div>
<!-- <div class="col-12">
<div class="md-select-wrapper">
<select id="language-selector-login" class="mdb-select md-form md-selected" onchange="onChangeLanguageSelector(this.value);">
<sly data-sly-list.items=>
<option class="option" value=""></option>
</sly>
</select>
<label>languageLabel</label>
</div>
</div>
-->
<div class="col-12">
<hr>
<p class="mt-5"> Don’t have an account? <a href="https://www.veritas.com/support/en_US/register?returnURL=https://www.veritas.com/support/en_US" class="ml-2">Create One</a>.</p>
</div>
<div class="col-12 sld-footer p-1">
<button id="btnSignInCancel" class="btn btn-secondary waves-effect waves-light">Cancel</button>
<button id="btn-SignIn" class="btn btn-primary waves-effect waves-light" disabled="">Sign In</button>
</div>
</div>
</form>Text Content
* Veritas.com
* VOX
* Get Support
* My Support Cases
* Create Case
* Start Chat
* Call Us
* --------------------------------------------------------------------------------
* Learn more about Veritas
* Language
* 简体中文
* English
* Français
* Deutsch
* Italiano
* 日本語
* 한국어
* Português
* Español
* * My Profile
* Sign Out
* Sign In
Support
* Products
* Knowledge Base
* Documentation
* Downloads
* Licensing
* NetInsights
* NetInsights Console
* Netinsights Status
* NetInsights
* NetInsights Console
* Netinsights Status
Sign In
Sign in failed. Please try again.
Username
Password Forgot Password
Remember me
--------------------------------------------------------------------------------
Don’t have an account? Create One.
Cancel Sign In
RESETPASSWORD
oldPassword
passwordRules newPassword
confirmNewPassword
regCancelButton changePassword
Hello! We noticed that while you have a Veritas Account, you aren't yet
registered to manage cases and use chat. Contact us for help registering your
account
regContactUsButton regCancelButton
Support
/
Security Alerts
1. / VTS16-001: NetBackup Remote Access Vulnerabilities
REVISIONS
Last updated May 19, 2016
1.0.1: Added links to NVD entries for CVEs
SEVERITY
CVSS2 Base Score
Impact Exploitability CVSS2 Vector
Communications Protocol Remote Command Execution 9.3 10 8.6
AV:N/AC:M/Au:N/C:C/I:C/A:C Weak Key Exchange Exposure 7.9 10 5.5
AV:A/AC:M/Au:N/C:C/I:C/A:C Management Services Allow Unauthorized RPC 9.3 10 8.6
AV:N/AC:M/Au:N/C:C/I:C/A:C
OVERVIEW
Multiple vulnerabilities have been identified in Veritas (formerly Symantec)
NetBackup Master/ Media Servers and clients. An attacker, able to successfully
access a vulnerable NetBackup host, could potentially execute arbitrary commands
or operations resulting in possible unauthorized, privileged access to the
targeted system.
AFFECTED PRODUCTS
Product
Version
Solution(s)
Veritas NetBackup
7.7.1, 7.6.1.x, 7.6.0.x,
7.5.x.x, 7.1.x, 7.0.x
Upgrade to Veritas NetBackup 7.7.2 or apply security hotfix for 7.7, 7.6.1.2,
7.6.0.4, 7.5.0.7 as a minimum
Veritas NetBackup Appliance
2.7.1, 2.6.1.x, 2.6.0.x, 2.5.x, 2.0.x, 1.2.x, 1.1.x
Upgrade to Veritas NetBackup Appliance 2.7.2 or apply security hotfix for
2.6.1.2, 2.6.0.4, 2.5.4 as a minimum.
Details
Veritas (formerly Symantec) was notified of multiple security issues impacting
NetBackup Appliance, Master servers, Media servers and Clients.
CVE-2015-6550: An attacker, familiar with the communications protocols used by
NetBackup, can leverage access to a host. Once access is obtained,
the bpcd service fails to properly sanitize user input resulting in the
potential to run arbitrary commands on the targeted system with privileged
access.
CVE-2015-6551: Communications between the administration console and the NBU
server is not sufficiently protected. An attacker with access to the internal
network, who is able to sniff network traffic, could capture and recover login
credentials. This could potentially lead to full privileged access to the
targeted server.
NOTE: NetBackup 7.6.1 (Appliance 2.6.1) and above uses TLS to protect login
communications and is NOT impacted by this particular issue.
CVE-2015-6552: An attacker, with working knowledge of the NetBackup management
services protocol and access to the network, could make any supported Remote
Procedure Call (RPC) and fully compromise the NetBackup administration
functionality.
It is recommended that Veritas NetBackup listening ports should not be visible
to the external network. Any attempt to exploit these would require internal
network access either by an authorized network user or an external attacker able
to gain unauthorized access to the network.
Veritas Response
Veritas engineers verified these issues and resolved them in Veritas NetBackup
hotfixes to recent releases as identified in the affected products matrix
above. Customers should upgrade and apply available hotfixes to avoid potential
incidents of this nature.
Veritas is not aware of exploitation of or adverse customer impact from these
issues.
Additional details and access to Veritas NetBackup security hotfixes are
available from: https://www.veritas.com/docs/000108183
Best Practices
As part of normal best practices, Veritas recommends that customers:
* Restrict access of administration or management systems to privileged users.
* Restrict remote access, if required, to trusted/authorized systems only.
* Keep all operating systems and applications updated with the latest vendor
patches.
* Follow a multi-layered approach to security. Run both firewall and
anti-malware applications, at a minimum, to provide multiple points of
detection and protection to both inbound and outbound threats.
* Deploy network and host-based intrusion detection systems to monitor network
traffic for signs of anomalous or suspicious activity. This may aid in
detection of attacks or malicious activity related to exploitation of latent
vulnerabilities
Credit
Veritas would like to thank Emilien Girault, with ANSSI, working through CERT-FR
for reporting these issues and coordinating with us as we resolved it.
References
CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.
CVE
Description
CVE-2015-6550
Communications Protocol Remote Command Execution
CVE-2015-6551
Weak Key Exchange Exposure
CVE-2015-6552
Management Services Allow Unauthorized RPC
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. Veritas CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF
THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT
TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
500 East Middlefield Road
Mountain View, CA 94043
http://www.veritas.com/
© 2016 Veritas Technologies LLC. All rights reserved. Veritas, the Veritas Logo,
and NetBackup are trademarks or registered trademarks of Veritas Technologies
LLC or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
© 2022 Veritas Contact Us Privacy Policy Legal User Agreement