{"vuid":"VU#685456","idnumber":"685456","name":"Veritas NetBackup \"bpjava-susvc\" process contains an input validation error","keywords":["Veritas NetBackup Administrative Assistant","bpjava-susvc","input validation error","privilege escalation"],"overview":"Veritas NetBackup Administrative Assistant interface may allow users to execute arbitrary commands with elevated privileges.","clean_desc":"The Veritas NetBackup Administrative Assistant interface (bpjava-susvc) contains an input validation vulnerability. According to Veritas Alert 271727 : When the NetBackup Administrative Java GUI connects to a NetBackup server (either a master or media server) a process is started on the server called bpjava-susvc. A normal user with access to this server could send specially crafted commands to this process and have those commands executed with root authority. It is also possible to exploit this issue if the Backup & Restore GUI is started as root. The following NetBackup applications and versions are reported to be vulnerable: NetBackup BusinesServer 3.4, 3.4.1, and 4.5\nNetBackup DataCenter 3.4, 3.4.1, and 4.5\nNetBackup Enterprise Server 5.1\nNetBackup Server 5.0 and 5.1","impact":"If an attacker supplies a vulnerable NetBackup server with specially crafted commands, those commands may be executed with elevated (possibly root) privileges.","resolution":"Apply Patch According to Veritas Alert 271727 the following patches will correct this problem: 4.5 Maintenance Pack 8 (MP8)\n4.5 Feature Pack 8 (FP8)\n5.0 Maintenance Pack 4 (MP4)\n5.1 Maintenance Pack 2 (MP2) Upgrade This issue will be fixed in Veritas NetBackup version 6.","workarounds":"Workaround Enabling no call-back will correct this issue. To enable no call-back set the NBJAVA_CONNECT_OPTION to 1 in the NetBackup configuration file (nbj.conf on UNIX and .vrtsnbuj on Windows). Veritas released the following examples to demonstrate how to set NBJAVA_CONNECT_OPTION to 1 on Windows and UNIX platforms: Partial sample of a Windows <NB Installed location>\\java\\<host_name>.vrtsnbuf file: # Backslashes in the install path must be escaped. # An example: \"C:\\\\Program Files\\\\VERITAS\\\\java\"\nSET INSTALL_PATH=C:\\\\Program Files\\\\VERITAS\\\\\\\\Java\nSET SERVER_HOST=master.min.veritas.com\nSET NBJAVA_CONNECT_OPTION=1 Partial sample of a UNIX /usr/openv/java/nbj.conf file: # $Revision: 1.3 $\n#bcpyrght #* $VRTScprght: Copyright 1993 - 2003 VERITAS Software Corporation, All Rights Reserved $ * #ecpyrght BPJAVA_PORT=13722\nVNETD_PORT=13724\nNBJAVA_CONNECT_OPTION=1","sysaffected":"","thanks":"This vulnerability was reported in \nVeritas Alert 271727","author":"This document was written by Jeff Gennari.","public":["http://seer.support.veritas.com/docs/271727.htm","http://secunia.com/advisories/12901/","http://www.security-focus.com/bid/11494/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-10-21T17:41:38Z","publicdate":"2004-10-20T00:00:00Z","datefirstpublished":"2005-01-18T14:57:39Z","dateupdated":"2005-04-20T14:48:15Z","revision":55,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"14","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"11","cam_impact":"16","cam_easeofexploitation":"13","cam_attackeraccessrequired":"5","cam_scorecurrent":"3.6465","cam_scorecurrentwidelyknown":"4.9335","cam_scorecurrentwidelyknownexploited":"9.2235","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":3.6465,"vulnote":null}