Update Protection against Symantec Veritas NetBackup Remote Code Execution Vulnerability

Overview
Details
Protection

Check Point Reference:	CPAI-2007-045
Date Published:
Severity:
Last Updated:
Source:	Secunia Advisory: SA23368
Industry Reference(s):	CVE-2006-4902
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55W NG with Application Intelligence R55 VSX NGX InterSpect NGX 2.0 and 1.x Connectra NGX R62 NGX R61
Who is Vulnerable? Symantec Veritas NetBackup Enterprise Server version 6.0 Symantec Veritas NetBackup Enterprise Server version 5.1 Symantec Veritas NetBackup Enterprise Server version 5.0 Symantec Veritas NetBackup Server version 6.0 Symantec Veritas NetBackup Server version 5.1 Symantec Veritas NetBackup Server version 5.0
Vulnerability Description A remote code execution vulnerability has been reported in Symantec Veritas NetBackup. Symantec Veritas NetBackup Server is a client/server backup application solution used for performing scheduled automatic backups and on-demand backups requested by users. A remote attacker could exploit the vulnerability to execute arbitrary code on an affected system via command chaining.

Update/Patch Available Apply updates: Symantec Veritas
Vulnerability Details The flaw is due to a logic error in the NetBackup service (bpcd.exe). The NetBackup BPCD daemon fails to properly check for chained commands, allowing a remote attacker to append a malicious command to a valid command. Successful exploitation may cause the service to execute arbitrary commands.

Protection Overview
By enabling this protection, SmartDefense will detect and block malformed command chaining requests.

In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on April 15, 2007 includes the following protections:

Symantec Veritas NetBackup Code Execution Vulnerability (CPAI-2007-045)
Oracle ORADC ActiveX Control Code Execution Vulnerability (CPAI-2007-046)
Trend Micro ServerProtect Buffer Overflow Vulnerabilities (CPAI-2007-047)
Novell Netmail WebAdmin Buffer Overflow Vulnerability (CPAI-2007-048)
Novell NetMail IMAP Verb Literal Buffer Overflow Vulnerability (CPAI-2007-049)
Microsoft Windows Workstation Service Vulnerability (CPAI-2007-050)
Trend Micro OfficeScan ActiveX Buffer Overflow Vulnerability (CPAI-2007-051)
Protect Yourself against FTP Brute Force Attacks (SBP-2007-05)
Protect Yourself against FTP Format Strings Attacks (SBP-2007-06)

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Veritas Backup Exec Protections > Block Malformed Command Chaining Request.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Veritas Backup Exec Protection Violation
Attack Information: Command chaining request detected

VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Veritas Backup Exec Protections.
2. Select the following pattern:

Block Malformed Command Chaining Request

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Veritas Backup Exec Protection Violation
Attack Information: Command chaining request detected

VPN-1 NG with Application Intelligence R55

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rule # 99861 will appear on the SmartView Tracker.

VPN-1 VSX NGX

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #99861 will appear on the SmartView Tracker.

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Veritas Backup Exec Protections.
3. Select the following pattern:

Block Malformed Command Chaining Request

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Veritas Backup Exec Protection Violation
Attack Information: Command chaining request detected

InterSpect 2.0

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Veritas Backup Exec Protection Violation
Attack Information: Command chaining request detected

Connectra NGX R62/R61

How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:

Block Malformed Command Chaining Request

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: Veritas Backup Exec Protection Violation
Attack Information: Command chaining request detected

Legal Notice for SmartDefense Advisories