December 13, 2006 3:04 PM PST
Symantec plugs trio of NetBackup holes
The flaws affect Veritas NetBackup Master, Media Servers and clients, the Cupertino, Calif.-based company said in a security alert. An attacker with access to a vulnerable NetBackup host could gain complete control over the targeted system, it said.
Two of the flaws are buffer overflow problems in the NetBackup bpcd communications daemon running on the NetBackup servers and client systems, Symantec said. It also affects the daemon running on Storage Migrator for Unix, if that option is installed. These issues were reported through TippingPoint's bug bounty program, Symantec said.
The third issue is a programming logic error in how the same bpcd daemon handles incoming system commands. This problem was discovered by IBM's Internet Security Systems.
Symantec found additional potential security problems during a review of the NetBackup code, it said. Those unspecified issues have also been addressed in the updates.
In recommended installations, Veritas NetBackup systems should be configured to restrict access to trusted hosts only and not be exposed to the Internet. This would limit any possible attacks to the insiders, Symantec said.
The software affected are versions 5.0, 5.1 and 6.0 of NetBackup server and client software, plus the Storage Migrator for Unix option. There are no current attacks that take advantage of any of the flaws, Symantec said. The updates are available on the company's Web site.