News

Symantec fixes 'critical' Veritas flaw

Bill Brenner, News Writer

Symantec Corp. is urging users of its Veritas NetBackup servers and clients to install updates that plug a security hole that attackers could use to launch malicious code.

The Cupertino, Calif.-based antivirus giant and parent company of Veritas said in an advisory that the problem affects:

  • NetBackup Data and Business Center version 4.5

  • NetBackup Enterprise/Server/Client version 5.0

  • NetBackup Enterprise/Server/Client version 5.1

  • NetBackup Enterprise/Server/Client version 6.0
  • For more information

    Read our exclusive: Is a Symantec-Veritas merger good for users?

    Learn how the security landscape is shifting because of megamergers.

    The French Security Incident Response Team (FrSIRT) called the vulnerability "critical" in an advisory issued Wednesday.

    "This flaw is due to a format string error in the Java authentication service 'bpjava-msvc' that does not properly handle a specially crafted 'COMMAND_LOGON_TO_MSERVER' command… which could be exploited by remote attackers to execute arbitrary commands with root/SYSTEM privileges," Symantec said.

    Also in the advisory, Symantec said engineers have verified the issue and made security updates available. The vendor recommended that "all customers immediately apply the latest updates for their supported product versions to protect against these types of threats." The advisory outlines which updates to apply to specific products. Symantec also recommended users block external network access on Transmission Control Protocol (TCP) Port 13722.

    Symantec credited research from TippingPoint, a division of Marlborough, Mass.-based networking vendor 3Com Corp., with reporting the vulnerability. In its advisory, TippingPoint noted that, "authentication is not required to exploit this vulnerability."


    Email Alerts

    Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
     

    COMMENTS powered by Disqus  //  Commenting policy