{"vuid":"VU#407641","idnumber":"407641","name":"EMC Legato NetWorker database services use insufficient authentication","keywords":["EMC","legato","networker","Sun","StorEdge Backup","Solstice Backup","nsradmin","XOR","token"],"overview":"The EMC Legato NetWorker database services use weak authentication, allowing a remote attacker to gain root access to the server.","clean_desc":"EMC Legato NetWorker is a cross-platform backup and recovery application. It is also repackaged by Sun Microsystems as Solstice Backup and StorEdge Enterprise Backup, by FSC as Fujitsu Siemens Computers' NetWorker, by NEC as WebSAM NetWorker Powered by Legato, and by Fujitsu as NetWorker. NetWorker database services At least two of the processes run by a NetWorker server provide database services. The database on a NetWorker server contains system configuration information, including licenses, client configurations, backup schedules, and storage devices. The server database also contains a mechanism for controlling backups remotely. NetWorker database service authentication and authorization NetWorker uses a token-based authentication scheme to determine the identity of a user who attempts to access the network databases. After a database client submits its credentials to the server, the server compares the credentials to an administrator list. The server then grants a token to the client that contains information about the client, including whether the client has administrative privileges. The problem NetWorker does not perform adequate authentication of the tokens. An attacker can create or modify a token to grant administrative privileges to himself, regardless of whether the attacker is in the administrator list. An attacker with administrative access to the NetWorker databases can gain complete control of a vulnerable NetWorker server.","impact":"An unauthenticated, remote attacker could execute arbitrary commands on the NetWorker server as root. Once the NetWorker server has been compromised, any NetWorker client machine could in turn be compromised.","resolution":"Apply a patch or upgrade\nApply a patch or upgrade, as specified in the EMC Legato Technical Product Alert. Sun Solstice Backup and StorEdge Enterprise Backup customers should see Sun Alert 101866 for patch availability.","workarounds":"Restrict access You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by NetWorker (typically TCP and UDP ports 7937-9936). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.","sysaffected":"","thanks":"Thanks to the NOAA NCIRT Lab for reporting this vulnerability.","author":"This document was written by Will Dormann.","public":["http://www.legato.com/support/websupport/product_alerts/081605_NW-7x.htm","http://www.legato.com/support/websupport/product_alerts/081605_NW_token_authentication.htm","http://sunsolve.sun.com/search/document.do?assetkey=1-26-101886-1","http://www.legato.com/support/websupport/tech_bulletins/?includefile=388.html","http://www.legato.com/products/networker/","http://secunia.com/advisories/16464/","http://secunia.com/advisories/16470/","http://www.cnn.com/2005/TECH/internet/07/25/hackers.backup.software.reut/index.html"],"cveids":["CVE-2005-0358"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-06-03T18:02:34Z","publicdate":"2005-08-16T00:00:00Z","datefirstpublished":"2005-08-16T15:09:53Z","dateupdated":"2005-10-04T18:43:27Z","revision":27,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"13","cam_impact":"20","cam_easeofexploitation":"20","cam_attackeraccessrequired":"15","cam_scorecurrent":"14.625","cam_scorecurrentwidelyknown":"43.875","cam_scorecurrentwidelyknownexploited":"73.125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":14.625,"vulnote":null}