Symantec fixes 'critical' Veritas flaw

Attackers could launch malicious code by exploiting a security hole in Veritas NetBackup servers and clients. But Symantec has released a fix.

Symantec Corp. is urging users of its Veritas NetBackup servers and clients to install updates that plug a security hole that attackers could use to launch malicious code.

The Cupertino, Calif.-based antivirus giant and parent company of Veritas said in an advisory that the problem affects:

  • NetBackup Data and Business Center version 4.5

  • NetBackup Enterprise/Server/Client version 5.0

  • NetBackup Enterprise/Server/Client version 5.1

  • NetBackup Enterprise/Server/Client version 6.0
  • For more information

    Read our exclusive: Is a Symantec-Veritas merger good for users?

    Learn how the security landscape is shifting because of megamergers.

    The French Security Incident Response Team (FrSIRT) called the vulnerability "critical" in an advisory issued Wednesday.

    "This flaw is due to a format string error in the Java authentication service 'bpjava-msvc' that does not properly handle a specially crafted 'COMMAND_LOGON_TO_MSERVER' command… which could be exploited by remote attackers to execute arbitrary commands with root/SYSTEM privileges," Symantec said.

    Also in the advisory, Symantec said engineers have verified the issue and made security updates available. The vendor recommended that "all customers immediately apply the latest updates for their supported product versions to protect against these types of threats." The advisory outlines which updates to apply to specific products. Symantec also recommended users block external network access on Transmission Control Protocol (TCP) Port 13722.

    Symantec credited research from TippingPoint, a division of Marlborough, Mass.-based networking vendor 3Com Corp., with reporting the vulnerability. In its advisory, TippingPoint noted that, "authentication is not required to exploit this vulnerability."

    Read more on Hackers and cybercrime prevention