[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: SYM06-023, Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability
From: "Mike Prosser" <mprosser () symantec ! com>
Date: 2006-11-29 18:21:46
Message-ID: 43FB1967D03EC7449A77FA91322E364803694D53 () SVL1XCHCLUPIN02 ! enterprise ! veritas ! com
[Download RAW message or body]
SYM06-023
Nov 28, 2006
Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability
Reference: http://www.securityfocus.com/bid/20879/
Revision History
none
Severity
High (configuration dependent)
Remote Yes
Local No
Authentication Required Yes (to network)
Exploit publicly available No
Overview
Symantec has released an update to address a security concern in PHP, a commonly used \
HTML-embedded scripting language, for Symantec's Veritas NetBackup 6.0 PureDisk \
Remote Office Edition. A heap overflow has been reported in the version of PHP \
shipped with the affected product builds listed below. The management interface of \
Symantec's product is accessible only through an SSL connection by default. \
Depending on configuration, however; an unauthorized user could potentially attempt \
to execute arbitrary code in the context of the vulnerable server, which runs in \
non-privileged mode by default.
Affected Product/Version
Product Version Build Solution(s)
Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms)
6.0GA, MP1 NB_PDE_60_MP1_S01
Not Affected
Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms)
6.1
Symantec Response
Symantec engineers have addressed the reported issue and provided Security updates. \
Symantec strongly recommends all customers apply the latest security update \
identified above or upgrade to Symantec Veritas NetBackup PureDisk Remote Office \
Edition 6.1 to protect against threats of this nature. Symantec knows of no \
exploitation of or adverse customer impact from this issue.
The patch is available from: http://support.veritas.com/docs/285984 for Symantec \
Veritas NetBackup PureDisk Remote Office Edition 6.0.
Best Practices
As part of normal best practices, Symantec recommends:
* Restrict access to administration or management systems to authorized privileged \
users only
* Block remote access to all ports not essential for efficient operation
* Restrict remote access, if required, to trusted/authorized systems only
* Remove/disable unnecessary accounts or restrict access according to security policy \
as required
* Run under the principle of least privilege where possible
* Keep all operating systems and applications updated with the latest vendor patches
* Follow a multi-layered approach to security. Run both firewall and antivirus \
applications, at a minimum, to provide multiple points of detection and protection to \
both inbound and outbound threats
* Deploy network intrusion detection systems to monitor network traffic for signs of \
anomalous or suspicious activity. This may aid in detection of attacks or malicious \
activity related to exploitation of latest vulnerabilities
CVE
CVE-2006-5465 has been assigned to this issue.
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which \
standardizes names for security problems.
--------------------------------------
Symantec takes the security and proper functionality of its products very seriously. \
As founding members of the Organization for Internet Safety (OISafety), Symantec \
follows the principles of responsible disclosure. Symantec also subscribes to the \
vulnerability guidelines outlined by the National Infrastructure Advisory Council \
(NIAC). Please contact secure@symantec.com if you feel you have discovered a \
potential or actual security issue with a Symantec product. A Symantec Product \
Security team member will contact you regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document outlining \
the process we follow in addressing suspected vulnerabilities in our products. We \
support responsible disclosure of all vulnerability information in a timely manner to \
protect Symantec customers and the security of the Internet as a result of \
vulnerability. This document is available from http://www.symantec.com/security/
Symantec strongly recommends using encrypted email for reporting vulnerability \
information to secure@symantec.com. The Symantec Product Security PGP key can be \
obtained from http://www.symantec.com/security/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- ----------------------------------------
Symantec Product Security Team
Symantec takes the security of our products seriously as a responsible
disclosure company. You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a security
issue in a Symantec product to validate the problem and coordinate any
response deemed necessary.
Please contact secure@symantec.com concerning security issues with Symantec
products.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRW3Pqhy6+gFWHby+AQhUJQgAux4e4+Za3jYVbRORMbPlPnNWNB4zM47m
IxSlXppVsZ1iU/tegvSwo62AwDCNRaRw5iERBlhF/VXiNe5UTe/B/HHczvC6GRj0
LuqumOW8RMX5Tuez3OgP3lwSMOI30sLHWa+7k5RmGTHstNPeWK90VwUzzpYS3RfA
klmlGYb2r30tKvDFiWlriClSCfpjSAaXdckOyG8r2OTyM5G7x2eA12hRDsD7lL99
X50G7I6PO7y29i+nVWvt6PGh+3gIrszbGO5mnpyqLsx+KKYQuE0gy4F+FOm+l/s+
QgUD5xYhYi+asc7uqE6zFzpGJlLir61z4OXAGAswoMyhDAqHt8k2SA==
=EVH/
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic