Symantec fixes 'critical' Veritas flaw

Bill Brenner

Symantec Corp. is urging users of its Veritas NetBackup servers and clients to install updates that plug a security hole that attackers could use to launch malicious code.

The Cupertino, Calif.-based antivirus giant and parent company of Veritas said in an advisory

    Requires Free Membership to View

that the problem affects:

  • NetBackup Data and Business Center version 4.5

  • NetBackup Enterprise/Server/Client version 5.0

  • NetBackup Enterprise/Server/Client version 5.1

  • NetBackup Enterprise/Server/Client version 6.0
  • For more information

    Read our exclusive: Is a Symantec-Veritas merger good for users?

    Learn how the security landscape is shifting because of megamergers.

    The French Security Incident Response Team (FrSIRT) called the vulnerability "critical" in an advisory issued Wednesday.

    "This flaw is due to a format string error in the Java authentication service 'bpjava-msvc' that does not properly handle a specially crafted 'COMMAND_LOGON_TO_MSERVER' command… which could be exploited by remote attackers to execute arbitrary commands with root/SYSTEM privileges," Symantec said.

    Also in the advisory, Symantec said engineers have verified the issue and made security updates available. The vendor recommended that "all customers immediately apply the latest updates for their supported product versions to protect against these types of threats." The advisory outlines which updates to apply to specific products. Symantec also recommended users block external network access on Transmission Control Protocol (TCP) Port 13722.

    Symantec credited research from TippingPoint, a division of Marlborough, Mass.-based networking vendor 3Com Corp., with reporting the vulnerability. In its advisory, TippingPoint noted that, "authentication is not required to exploit this vulnerability."

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: