首页 > 016������������ > 016������������,NetBackup and OpsCenter Advisory | Veritas™

016������������,NetBackup and OpsCenter Advisory | Veritas™

互联网 2022-01-18 22:10:45 Tags:016������������

RM 016 ⋅ RICHARD MILLE | Automatic Winding Extra FlatBUILDINGS BULLETIN 2016016 TechnicalBUILDINGS BULLETIN 2015016 OTCRWAC 296200A016:WAC 246810016:American Standard 4142.016.178 Cadet 1.6 GPF | Build.comNetBackup and OpsCenter Advisory | Veritas™www.fhwa.dot.gov

Revision History1.0: December 23, 2020: Initial version1.1: January 08, 2021: Added CVE IDs, updated Remediation and Mitigation sectionsSummary

As part of our ongoing testing process Veritas has discovered issues where Veritas NetBackup and OpsCenter could allow an attacker to run arbitrary code with administrator privilege.

Issue #1

CVE ID: CVE-2020-36169Severity: CriticalCVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

NetBackup processes using OpenSSL attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories on any drive. For example, C:\. If a low privileged user on the Windows system creates an affected path with a library that NetBackup attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.

This vulnerability affects NetBackup master servers, media servers, clients and OpsCenter servers on the Windows platform.

The system is vulnerable during an install or upgrade and post-install during normal NetBackup operations.

Issue #2

CVE ID: CVE-2020-36163Severity: CriticalCVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

NetBackup processes using Strawberry Perl attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories under C:\. If a low privileged user on the Windows system creates an affected path with a library that NetBackup attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.

This vulnerability affects NetBackup master servers, media servers, clients and OpsCenter servers on the Windows platform.

The system is vulnerable during an install or upgrade on all systems and post-install on Master, Media and OpsCenter servers during normal NetBackup operations.

Affected Versions

NetBackup and OpsCenter versions 8.3.0.1 and earlier versions are affected.

The issue only affects the Windows platform.

CloudPoint: If using CloudPoint, please see detailed instructions provided in the Veritas CloudPoint Advisory.

Remediation

Customers under a current maintenance contract can download and install the NetBackup HotFix to fix the vulnerabilities for an already installed NetBackup master server, media server and client. Install the OpsCenter HotFix to fix the vulnerabilities for an already installed OpsCenter.

If you want to install or upgrade to an affected version of NetBackup or OpsCenter, follow the steps listed in the mitigation section prior to starting the install or upgrade. Note: This needs to be done even if you are upgrading from a version that has the HotFix already installed. Once the install or upgrade has completed, install the HotFix for the installed version of NetBackup/OpsCenter.

Recommended Actions:Existing InstallationNetBackup VersionClientMediaMasterOpsCenter

9.0 and later

N/A

N/A

N/A

N/A

8.3.0.1

HotFix

HotFix

HotFix

HotFix

8.3

HotFix

HotFix

HotFix

HotFix

8.2

HotFix

HotFix

HotFix

HotFix

8.1.2

HotFix

HotFix

HotFix

HotFix

8.1.1

Workaround only

Workaround only

Workaround only

Workaround only

8.1

Workaround only

Workaround only

Workaround only

Workaround only

8.0

Workaround only

Workaround only

Workaround only

Workaround only

7.7.3

Workaround only

Workaround only

Workaround only

Workaround only

Upgrade Installation toNetBackup VersionClientMediaMasterOpsCenter

9.0 and later

N/A

N/A

N/A

N/A

8.3.0.1

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.3

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.2

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.1.2

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.1.1

Workaround only

Workaround only

Workaround only

Workaround only

8.1

Workaround only

Workaround only

Workaround only

Workaround only

New InstallationNetBackup VersionClientMediaMasterOpsCenter

9.0 and later

N/A

N/A

N/A

N/A

8.3.0.1

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.3

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.2

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.1.2

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

Workaround and HotFix

8.1.1

Workaround only

Workaround only

Workaround only

Workaround only

8.1

Workaround only

Workaround only

Workaround only

Workaround only

Mitigation

NOTE: Veritas strongly recommends running version 9.0 or later or a HotFix'ed version.

WorkaroundThis workaround will lower the risk until theHotFix is applied, if available, or the system is updated to version 9.0 or later.Securing DirectoriesUsing an administrator account create the directories listed below and set the ACL on the directory to deny write access to all other users.If the directories already exist and the ACLs allow write access to other users, you must update the ACLs to only allow write access by the administrator accountsThese directories should not be deleted.\usr\local\sslOS Installation Drive: For example, C:\usr\local\sslNetBackup installation drive: For example, D:\usr\local\sslC:\strawberry (8.1.2 and higher versions)C:\Temp\strawberry (8.1.1. and lower versions)For any NetBackup command, “cd” to the directory containing the NetBackup command before running it.

One example of clearing the write permission for a non-administrator users:

Existing InstallationIf HotFix is availableApply the HotFix or the installed versionIf HotFix is not availableApply the workaround steps listed aboveNew InstallationIf installing version 9.0 or laterPerform the new InstallationNo future action is requiredIf installing a version older than 9.0Apply the workaround steps listed abovePerform the new installationIf HotFix is availableApply the HotFix for the installed versionUpgrade Installationo If upgrading to version 9.0 or laterPerform the upgradeThe directories outlined in the workaround may be deleted.If upgrading to a version older than 9.0Apply the workaround steps listed aboveMust be done even if you are upgrading from a version that has the HotFix already installedPerform the upgradeIf HotFix is availableApply the HotFix for the new versionDownload Information

Note: These downloads address both vulnerabilities listed at the top of this document.

HotFixOpenSSL Update Hotfixes for NetBackup 8.1.2NetBackup 8.1.2 - Upgrade of OpenSSL on Windows Master or Media Server (ET 4020525)https://www.veritas.com/content/support/en_US/downloads/update.UPD637939NetBackup 8.1.2 HotFix - Upgrade of OpenSSL on Windows Clients (ET 4021310)https://www.veritas.com/content/support/en_US/downloads/update.UPD748218NetBackup OpsCenter 8.1.2 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4021454)https://www.veritas.com/content/support/en_US/downloads/update.UPD471540OpenSSL Update Hotfixes for NetBackup 8.2NetBackup 8.2 HotFix - Upgrade of OpenSSL on Windows Master or Media Server (ET 4020077)https://www.veritas.com/content/support/en_US/downloads/update.UPD255190NetBackup 8.2 HotFix - Upgrade of OpenSSL on NetBackup Windows Clients (ET 4021217)https://www.veritas.com/content/support/en_US/downloads/update.UPD450754NetBackup OpsCenter 8.2 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4021453)https://www.veritas.com/content/support/en_US/downloads/update.UPD518556OpenSSL Update Hotfixes for NetBackup 8.3NetBackup 8.3 HotFix - Upgrade of OpenSSL on Windows Master or Media Server (ET 4021901)https://www.veritas.com/content/support/en_US/downloads/update.UPD475064NetBackup 8.3 HotFix - Upgrade of OpenSSL on Windows Clients (ET 4022116)https://www.veritas.com/content/support/en_US/downloads/update.UPD870749NetBackup OpsCenter 8.3 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4022185)https://www.veritas.com/content/support/en_US/downloads/update.UPD606869OpenSSL Update Hotfixes for NetBackup 8.3.0.1NetBackup 8.3.0.1 HotFix - Upgrade of OpenSSL on Windows Master or Media Server (ET 4019812)https://www.veritas.com/content/support/en_US/downloads/update.UPD793441NetBackup 8.3.0.1 HotFix - Upgrade of OpenSSL on Windows Clients (ET 4021146)https://www.veritas.com/content/support/en_US/downloads/update.UPD882155NetBackup OpsCenter 8.3.0.1 HotFix - Upgrade of OpenSSL on Windows OpsCenter Servers (ET 4021447)https://www.veritas.com/content/support/en_US/downloads/update.UPD480348

Questions

For questions or problems regarding these vulnerabilities please contact VeritasTechnical Support(https://www.veritas.com/support).

免责声明:非注明原创的信息,皆为程序自动获取自互联网,目的在于传递更多信息,不代表本网赞同其观点和对其真实性负责;如此页面有侵犯到您的权益,请给网站管理员发送电子邮件,并提供相关证明(版权证明、身份证正反面、侵权链接),网站管理员将在收到邮件24小时内删除。

一周热门