TUCoPS :: Security App Flaws :: b06-4294.htm

Symantec NetBackup PureDisk Remote Office Edition Elevation of Privilege
SYM06-16 Symantec NetBackup PureDisk Remote Office Edition Elevation of Privilege
SYM06-16 Symantec NetBackup PureDisk Remote Office Edition Elevation of Privilege



This is a multi-part message in MIME format.

------_=_NextPart_001_01C6C16E.2DD94598
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Symantec Security Advisory

SYM06-015

16 August 2006 

Symantec NetBackup PureDisk:  Non-Privileged User Authentication Bypass
Elevation of Privilege

Revision History
None 

Severity
Medium (highly dependent on network configuration) 

Remote Access
Yes
Local Access
No
Authentication Required
Yes (to network) 
Exploit publicly available
No

Overview
Symantec discovered a security issue in Symantec's Veritas NetBackup 6.0
PureDisk Remote Office Edition. An unauthorized user with access to the
network and the
server hosting the management interface can potentially bypass the
management interface
authentication to gain access and elevate their privileges on the
system.

Supported Product(s) Affected 
Product:  Symantec Veritas NetBackup PureDisk Remote 
Office Edition (all platforms)
Version: 6.0
Builds: GA, MP1
Solution: NB_PDE_60_MP1_P01

NOTE: For systems running NetBackup 6.0 GA PureDisk Remote Office
Edition
it will be necessary to install Maintenance Pack 1  prior to applying
this
Security
Pack.
This issue ONLY affects the product and versions listed above. 
 
Details
An internal review revealed a potential elevation of privilege issue in
the
Symantec Veritas NetBackup PureDisk management interface.  The
management
interface is
accessible only through an SSL web connection by default.  However it is
possible for a
non-privileged user with access to the network and the server hosting
the
Symantec Veritas NetBackup
PureDisk management interface, to bypass the management interface
authentication and
further leverage their access to elevate privileged access on the
server.

Symantec Response
Symantec engineers have addressed the issues identified above and made
Security updates available.
Symantec strongly recommends all customers apply the latest security
update
to protect against threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from
these
issues.


The patches listed above for affected products are available through the
following location: 
http://support.veritas.com/docs/284734 for Symantec Veritas NetBackup 
PureDisk Remote Office Edition.

Best Practices 
As part of normal best practices, Symantec recommends: 
- - - Restrict access to administration or management systems to
authorized
privileged users only
- - - Block remote access to all ports not essential for efficient
operation
- - - Restrict remote access, if required, to trusted/authorized systems
only
- - - Remove/disable unnecessary accounts or restrict access according
to
security policy as required 
- - - Run under the principle of least privilege where possible
- - - Keep all operating systems and applications updated with the
latest
vendor patches 
- - - Follow a multi-layered approach to security. Run both firewall and
antivirus applications, at a minimum, to provide multiple points of
detection and protection to
both inbound and outbound threats 
- - - Deploy network intrusion detection systems to monitor network
traffic
for
signs of anomalous or suspicious activity. This may aid in detection of
attacks or
Malicious activity related to exploitation of latest vulnerabilities

CVE 
A CVE Candidate name is being requested from the Common Vulnerabilities
and
Exposures(CVE) initiative for this issue. This advisory will be revised
accordingly
upon receipt of the CVE Candidate name.
This issue is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizesnames for security problems. 

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRON4lRy6+gFWHby+AQigiwgAwk0k8rQhhhC9lRiTuHm+sSjPCoLHRSH/
OkR2WNZxSMP3z4AkYeJ7r/h465diPIdnkwAK9Q7pWpberooK2ffF2e5QpgIGLvB+
GoyyZddrAoKdix8wcQj9bgix+W+OiD93Bmh1q/iSBdFgJ6IvQNzEwdqLr2LXkG+W
clz7Asv8LOn6p2kPACDQOKNGMJvlQD8csdRRo+bNUtjv8FGiZB7Q+NXKjlZa5JRB
+ZlXWKfrlY5mjREcd7cTumif88wG7B4vc6Be0aPI0bGnICLdTT+xCwnKaGVLR+0i
QucuAn5xJDn6of2HZ4IuGfKgTpdtO5uYIta5xRKhWew2r+1MjM5rTw==sQoe
-----END PGP SIGNATURE-----

------_=_NextPart_001_01C6C16E.2DD94598
Content-Type: text/plain;
	name="SYM06-015_signed.txt"
Content-Transfer-Encoding: base64
Content-Description: SYM06-015_signed.txt
Content-Disposition: attachment;
	filename="SYM06-015_signed.txt"

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMjU2DQoNClN5bWFu
dGVjIFNlY3VyaXR5IEFkdmlzb3J5DQoNClNZTTA2LTAxNQ0KDQoxNiBBdWd1c3QgMjAwNiANCg0K
U3ltYW50ZWMgTmV0QmFja3VwIFB1cmVEaXNrOiAgTm9uLVByaXZpbGVnZWQgVXNlciBBdXRoZW50
aWNhdGlvbiBCeXBhc3MNCkVsZXZhdGlvbiBvZiANClByaXZpbGVnZQ0KDQpSZXZpc2lvbiBIaXN0
b3J5DQpOb25lIA0KDQpTZXZlcml0eQ0KTWVkaXVtIChoaWdobHkgZGVwZW5kZW50IG9uIG5ldHdv
cmsgY29uZmlndXJhdGlvbikgDQoNClJlbW90ZSBBY2Nlc3MNClllcw0KTG9jYWwgQWNjZXNzDQpO
bw0KQXV0aGVudGljYXRpb24gUmVxdWlyZWQNClllcyAodG8gbmV0d29yaykgDQpFeHBsb2l0IHB1
YmxpY2x5IGF2YWlsYWJsZQ0KTm8NCg0KT3ZlcnZpZXcNClN5bWFudGVjIGRpc2NvdmVyZWQgYSBz
ZWN1cml0eSBpc3N1ZSBpbiBTeW1hbnRlYydzIFZlcml0YXMgTmV0QmFja3VwIDYuMA0KUHVyZURp
c2sgUmVtb3RlIA0KT2ZmaWNlIEVkaXRpb24uIEFuIHVuYXV0aG9yaXplZCB1c2VyIHdpdGggYWNj
ZXNzIHRvIHRoZSBuZXR3b3JrIGFuZCB0aGUNCnNlcnZlciBob3N0aW5nIHRoZSANCm1hbmFnZW1l
bnQgaW50ZXJmYWNlIGNhbiBwb3RlbnRpYWxseSBieXBhc3MgdGhlIG1hbmFnZW1lbnQgaW50ZXJm
YWNlDQphdXRoZW50aWNhdGlvbiB0byBnYWluIA0KYWNjZXNzIGFuZCBlbGV2YXRlIHRoZWlyIHBy
aXZpbGVnZXMgb24gdGhlIHN5c3RlbS4NCg0KU3VwcG9ydGVkIFByb2R1Y3QocykgQWZmZWN0ZWQg
DQpQcm9kdWN0OiAgU3ltYW50ZWMgVmVyaXRhcyBOZXRCYWNrdXAgUHVyZURpc2sgUmVtb3RlIA0K
T2ZmaWNlIEVkaXRpb24gKGFsbCBwbGF0Zm9ybXMpDQpWZXJzaW9uOiA2LjANCkJ1aWxkczogR0Es
IE1QMQ0KU29sdXRpb246IE5CX1BERV82MF9NUDFfUDAxDQoNCk5PVEU6IEZvciBzeXN0ZW1zIHJ1
bm5pbmcgTmV0QmFja3VwIDYuMCBHQSBQdXJlRGlzayBSZW1vdGUgT2ZmaWNlIEVkaXRpb24NCml0
IHdpbGwgYmUgDQpuZWNlc3NhcnkgdG8gaW5zdGFsbCBNYWludGVuYW5jZSBQYWNrIDEgIHByaW9y
IHRvIGFwcGx5aW5nIHRoaXMgU2VjdXJpdHkNClBhY2suDQpUaGlzIGlzc3VlIE9OTFkgYWZmZWN0
cyB0aGUgcHJvZHVjdCBhbmQgdmVyc2lvbnMgbGlzdGVkIGFib3ZlLiANCiANCkRldGFpbHMNCkFu
IGludGVybmFsIHJldmlldyByZXZlYWxlZCBhIHBvdGVudGlhbCBlbGV2YXRpb24gb2YgcHJpdmls
ZWdlIGlzc3VlIGluIHRoZQ0KU3ltYW50ZWMgVmVyaXRhcyANCk5ldEJhY2t1cCBQdXJlRGlzayBt
YW5hZ2VtZW50IGludGVyZmFjZS4gIFRoZSBtYW5hZ2VtZW50IGludGVyZmFjZSBpcw0KYWNjZXNz
aWJsZSBvbmx5IA0KdGhyb3VnaCBhbiBTU0wgd2ViIGNvbm5lY3Rpb24gYnkgZGVmYXVsdC4gIEhv
d2V2ZXIgaXQgaXMgcG9zc2libGUgZm9yIGENCm5vbi1wcml2aWxlZ2VkIHVzZXIgd2l0aCANCmFj
Y2VzcyB0byB0aGUgbmV0d29yayBhbmQgdGhlIHNlcnZlciBob3N0aW5nIHRoZSBTeW1hbnRlYyBW
ZXJpdGFzIE5ldEJhY2t1cA0KUHVyZURpc2sgDQptYW5hZ2VtZW50IGludGVyZmFjZSwgdG8gYnlw
YXNzIHRoZSBtYW5hZ2VtZW50IGludGVyZmFjZSBhdXRoZW50aWNhdGlvbiBhbmQNCmZ1cnRoZXIg
bGV2ZXJhZ2UgDQp0aGVpciBhY2Nlc3MgdG8gZWxldmF0ZSBwcml2aWxlZ2VkIGFjY2VzcyBvbiB0
aGUgc2VydmVyLg0KDQpTeW1hbnRlYyBSZXNwb25zZQ0KU3ltYW50ZWMgZW5naW5lZXJzIGhhdmUg
YWRkcmVzc2VkIHRoZSBpc3N1ZXMgaWRlbnRpZmllZCBhYm92ZSBhbmQgbWFkZQ0KU2VjdXJpdHkg
dXBkYXRlcyANCmF2YWlsYWJsZS4NClN5bWFudGVjIHN0cm9uZ2x5IHJlY29tbWVuZHMgYWxsIGN1
c3RvbWVycyBhcHBseSB0aGUgbGF0ZXN0IHNlY3VyaXR5IHVwZGF0ZQ0KdG8gcHJvdGVjdCBhZ2Fp
bnN0IA0KdGhyZWF0cyBvZiB0aGlzIG5hdHVyZS4NClN5bWFudGVjIGtub3dzIG9mIG5vIGV4cGxv
aXRhdGlvbiBvZiBvciBhZHZlcnNlIGN1c3RvbWVyIGltcGFjdCBmcm9tIHRoZXNlDQppc3N1ZXMu
DQoNCg0KVGhlIHBhdGNoZXMgbGlzdGVkIGFib3ZlIGZvciBhZmZlY3RlZCBwcm9kdWN0cyBhcmUg
YXZhaWxhYmxlIHRocm91Z2ggdGhlDQpmb2xsb3dpbmcgbG9jYXRpb246IA0KIGh0dHA6Ly9zdXBw
b3J0LnZlcml0YXMuY29tL2RvY3MvMjg0NzM0IGZvciBTeW1hbnRlYyBWZXJpdGFzIE5ldEJhY2t1
cA0KUHVyZURpc2sgUmVtb3RlIA0KT2ZmaWNlIEVkaXRpb24uDQoNCkJlc3QgUHJhY3RpY2VzIA0K
QXMgcGFydCBvZiBub3JtYWwgYmVzdCBwcmFjdGljZXMsIFN5bWFudGVjIHJlY29tbWVuZHM6IA0K
LSAtIFJlc3RyaWN0IGFjY2VzcyB0byBhZG1pbmlzdHJhdGlvbiBvciBtYW5hZ2VtZW50IHN5c3Rl
bXMgdG8gYXV0aG9yaXplZA0KcHJpdmlsZWdlZCB1c2VycyANCm9ubHkNCi0gLSBCbG9jayByZW1v
dGUgYWNjZXNzIHRvIGFsbCBwb3J0cyBub3QgZXNzZW50aWFsIGZvciBlZmZpY2llbnQgb3BlcmF0
aW9uDQotIC0gUmVzdHJpY3QgcmVtb3RlIGFjY2VzcywgaWYgcmVxdWlyZWQsIHRvIHRydXN0ZWQv
YXV0aG9yaXplZCBzeXN0ZW1zIG9ubHkNCi0gLSBSZW1vdmUvZGlzYWJsZSB1bm5lY2Vzc2FyeSBh
Y2NvdW50cyBvciByZXN0cmljdCBhY2Nlc3MgYWNjb3JkaW5nIHRvDQpzZWN1cml0eSBwb2xpY3kg
YXMgDQpyZXF1aXJlZCANCi0gLSBSdW4gdW5kZXIgdGhlIHByaW5jaXBsZSBvZiBsZWFzdCBwcml2
aWxlZ2Ugd2hlcmUgcG9zc2libGUNCi0gLSBLZWVwIGFsbCBvcGVyYXRpbmcgc3lzdGVtcyBhbmQg
YXBwbGljYXRpb25zIHVwZGF0ZWQgd2l0aCB0aGUgbGF0ZXN0DQp2ZW5kb3IgcGF0Y2hlcyANCi0g
LSBGb2xsb3cgYSBtdWx0aS1sYXllcmVkIGFwcHJvYWNoIHRvIHNlY3VyaXR5LiBSdW4gYm90aCBm
aXJld2FsbCBhbmQNCmFudGl2aXJ1cyBhcHBsaWNhdGlvbnMsIA0KYXQgYSBtaW5pbXVtLCB0byBw
cm92aWRlIG11bHRpcGxlIHBvaW50cyBvZiBkZXRlY3Rpb24gYW5kIHByb3RlY3Rpb24gdG8NCmJv
dGggaW5ib3VuZCBhbmQgDQpvdXRib3VuZCB0aHJlYXRzIA0KLSAtIERlcGxveSBuZXR3b3JrIGlu
dHJ1c2lvbiBkZXRlY3Rpb24gc3lzdGVtcyB0byBtb25pdG9yIG5ldHdvcmsgdHJhZmZpYyBmb3IN
CnNpZ25zIG9mIA0KYW5vbWFsb3VzIG9yIHN1c3BpY2lvdXMgYWN0aXZpdHkuIFRoaXMgbWF5IGFp
ZCBpbiBkZXRlY3Rpb24gb2YgYXR0YWNrcyBvcg0KbWFsaWNpb3VzIA0KYWN0aXZpdHkgcmVsYXRl
ZCB0byBleHBsb2l0YXRpb24gb2YgbGF0ZXN0IHZ1bG5lcmFiaWxpdGllcw0KDQpDVkUgDQpBIENW
RSBDYW5kaWRhdGUgbmFtZSBpcyBiZWluZyByZXF1ZXN0ZWQgZnJvbSB0aGUgQ29tbW9uIFZ1bG5l
cmFiaWxpdGllcyBhbmQNCkV4cG9zdXJlcyANCihDVkUpIGluaXRpYXRpdmUgZm9yIHRoaXMgaXNz
dWUuIFRoaXMgYWR2aXNvcnkgd2lsbCBiZSByZXZpc2VkIGFjY29yZGluZ2x5DQp1cG9uIHJlY2Vp
cHQgb2YgdGhlIENWRSANCkNhbmRpZGF0ZSBuYW1lLg0KVGhpcyBpc3N1ZSBpcyBhIGNhbmRpZGF0
ZSBmb3IgaW5jbHVzaW9uIGluIHRoZSBDVkUgbGlzdA0KKGh0dHA6Ly9jdmUubWl0cmUub3JnKSwg
d2hpY2ggc3RhbmRhcmRpemVzIA0KbmFtZXMgZm9yIHNlY3VyaXR5IHByb2JsZW1zLiANCg0KDQog
DQoNCg0KDQoNCg0KDQotLS0tLUJFR0lOIFBHUCBTSUdOQVRVUkUtLS0tLQ0KVmVyc2lvbjogUEdQ
IERlc2t0b3AgOS4wLjYgKEJ1aWxkIDYwNjApDQoNCmlRRVZBd1VCUk9OMkNCeTYrZ0ZXSGJ5K0FR
aEpBd2YvZFh1VEhoa0ZKK2NxblZ4RmlEYUJkcEgwemtyYjB6RFUNCkg5ZDZ0eHl5N2tpRmE4RDhV
bDJiVkhUMGZBUkxta2lDek9yZGtPS3VqVi9jSWdPUlNHbTVNYWdoSnBPbno2bUINCi9lTTdHL2l2
MkFXZnhqSFZCeURyV3huRFAzK01RSUJDTEgrb2l4NVR0aGNpcEhMT09Ob0VLMk5vd0ptL2lkb2EN
CnJreURJekRMYng5enppa0Q4OUJ3SW4yQmlSMERaRm04d3BGNEQzWDBQVFFGc2gva2xmeTM5TE9q
UWdNL0hEWk4NCm1yTkw5T1F5VGppZitMOVNrR0tHSGdPYXZUT3JWd1pxbjUydTdhMkQvUkhUeTdp
V3VGTnB5MU1kOHlMYS9oWmcNClloYjNDTEFId0FQRkh6MWQ4NnJXc2NzdTNFUkxkR2FLamd4b1dG
bEt5S1NWZmFYR0l4eHplQT09DQo9K04xdw0KLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tDQo
------_=_NextPart_001_01C6C16E.2DD94598--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH