'SYM06-023, Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    SYM06-023, Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability
From:       "Mike Prosser" <mprosser () symantec ! com>
Date:       2006-11-29 18:21:46
Message-ID: 43FB1967D03EC7449A77FA91322E364803694D53 () SVL1XCHCLUPIN02 ! enterprise ! veritas ! com
[Download RAW message or body]

SYM06-023 
Nov 28, 2006 
Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability

Reference:  http://www.securityfocus.com/bid/20879/

Revision History
none 

Severity
High (configuration dependent) 

Remote Yes
Local No
Authentication Required Yes (to network)
Exploit publicly available No

Overview
Symantec has released an update to address a security concern in PHP, a commonly used \
HTML-embedded scripting language, for Symantec's Veritas NetBackup  6.0 PureDisk \
Remote Office Edition. A heap overflow has been reported in the version of PHP \
shipped with the affected product builds listed below.  The  management interface of \
Symantec's product is accessible only through an SSL connection by default.  \
Depending on configuration, however; an unauthorized user  could potentially attempt \
to execute arbitrary code in the context of the vulnerable server, which runs in \
non-privileged mode by default. 

Affected Product/Version
Product Version  Build  Solution(s)
Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms)
6.0GA, MP1 NB_PDE_60_MP1_S01

Not Affected
Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms)
6.1

Symantec Response
Symantec engineers have addressed the reported issue and provided Security updates. \
Symantec strongly recommends all customers apply the latest security update  \
identified above or upgrade to Symantec Veritas NetBackup PureDisk Remote Office \
Edition 6.1 to protect against threats of this nature.  Symantec knows of no \
exploitation of or adverse customer impact from this issue. 

The patch is available from: http://support.veritas.com/docs/285984 for Symantec \
Veritas NetBackup PureDisk Remote Office Edition 6.0. 

Best Practices
As part of normal best practices, Symantec recommends: 
* Restrict access to administration or management systems to authorized privileged \
                users only 
* Block remote access to all ports not essential for efficient operation 
* Restrict remote access, if required, to trusted/authorized systems only 
* Remove/disable unnecessary accounts or restrict access according to security policy \
                as required 
* Run under the principle of least privilege where possible 
* Keep all operating systems and applications updated with the latest vendor patches 
* Follow a multi-layered approach to security. Run both firewall and antivirus \
applications, at a minimum, to provide multiple points of detection and protection to \
                both  inbound and outbound threats 
* Deploy network intrusion detection systems to monitor network traffic for signs of \
anomalous or suspicious activity. This may aid in detection of attacks or malicious  \
activity related to exploitation of latest vulnerabilities 

CVE
CVE-2006-5465 has been assigned to this issue. 
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which \
                standardizes names for security problems. 
--------------------------------------
Symantec takes the security and proper functionality of its products very seriously. \
As founding members of the Organization for Internet Safety (OISafety), Symantec  \
follows the principles of responsible disclosure. Symantec also subscribes to the \
vulnerability guidelines outlined by the National Infrastructure Advisory Council  \
(NIAC). Please contact secure@symantec.com if you feel you have discovered a \
potential or actual security issue with a Symantec product. A Symantec Product  \
Security team member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document outlining \
the process we follow in addressing suspected vulnerabilities in our products.  We \
support responsible disclosure of all vulnerability information in a timely manner to \
protect Symantec customers and the security of the Internet as a result of  \
vulnerability. This document is available from http://www.symantec.com/security/

Symantec strongly recommends using encrypted email for reporting vulnerability \
information to secure@symantec.com. The Symantec Product Security PGP key can  be \
obtained from http://www.symantec.com/security/



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- ----------------------------------------
Symantec Product Security Team
Symantec takes the security of our products seriously as a responsible
disclosure company.  You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a security
issue in a Symantec product to validate the problem and coordinate any 
response deemed necessary. 
 
Please contact secure@symantec.com concerning security issues with Symantec
products.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRW3Pqhy6+gFWHby+AQhUJQgAux4e4+Za3jYVbRORMbPlPnNWNB4zM47m
IxSlXppVsZ1iU/tegvSwo62AwDCNRaRw5iERBlhF/VXiNe5UTe/B/HHczvC6GRj0
LuqumOW8RMX5Tuez3OgP3lwSMOI30sLHWa+7k5RmGTHstNPeWK90VwUzzpYS3RfA
klmlGYb2r30tKvDFiWlriClSCfpjSAaXdckOyG8r2OTyM5G7x2eA12hRDsD7lL99
X50G7I6PO7y29i+nVWvt6PGh+3gIrszbGO5mnpyqLsx+KKYQuE0gy4F+FOm+l/s+
QgUD5xYhYi+asc7uqE6zFzpGJlLir61z4OXAGAswoMyhDAqHt8k2SA==
=EVH/
-----END PGP SIGNATURE-----  
 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic