Unsolved
This post is more than 5 years old
1 Message
0
1108
May 25th, 2007 10:00
Vulnerability Note VU#606857
Hello,
We have been told from our security group that we have the following volnerability on our Legatto Networker (ver7.2) - where do I get the patches?
Vulnerability Note VU#606857
EMC Legato NetWorker uses weak AUTH_UNIX authentication
Overview
EMC Legato NetWorker uses weak AUTH_UNIX authentication, allowing a remote attacker to execute arbitrary commands, gain elevated privileges, or cause a denial of service.
I. Description
EMC Legato NetWorker is a cross-platform backup and recovery application. It is also repackaged by Sun Microsystems as Solstice Backup and StorEdge Enterprise Backup, by FSC as Fujitsu Siemens Computers' NetWorker, by NEC as WebSAM NetWorker Powered by Legato, and by Fujitsu as NetWorker.
NetWorker authentication
NetWorker uses the AUTH_UNIX authentication mechanism (a client-based security option) for its RPC service. This means the NetWorker software trusts that the remote system calling its RPC interface has already authenticated the remote client process via standard UNIX user id mechanisms (i.e., if a daemon only allows UID 0 [root] access to its RPC interface, it trusts remote RPC clients to be running with UID 0 [root] privileges).
NetWorker components
nwadmin and nsradmin are the administrative utilities for NetWorker. They can be used to view or modify the configuration of a NetWorker server. The NetWorker server grants administrative access based on an administrators list. nwadmin and nsradmin use getpwuid_r(getuid()) to determine the invoking user's name.
nsrports is used to specify the port ranges used by the NetWorker software. nsrports allows any user with an apparent username of "root" to set NetWorker port ranges.
The recover program is used to restore files that were backed up using the NetWorker software. recover determines what files may be accessed based on the UID of the user that calls the process.
nsrexec and nsrexecd are NetWorker components that provide functionality similar to rsh. nsrexec is a command that runs on the NetWorker server to send commands to the client systems. nsrexecd is a service that runs on the NetWorker client systems. nsrexecd executes commands on the client system that it receives from the NetWorker server. The combination of nsrexec and nsrexecd is what allows the NetWorker server to execute commands on the client remotely, such as initiating a backup process. The nsrexecd service uses RPC AUTH_UNIX to determine the identity of the user who will run the backup command.
The problem
The authentication mechanisms used by the various NetWorker components are weak. AUTH_UNIX authentication does not provide sufficient protection against attacks because it relies solely on the authentication credentials provided by the client. An attacker can spoof the user name to bypass the authentication mechanism used by nwadmin, nsradmin, and nsrports. An attacker can spoof the UID to bypass the authentication mechanism used by recover and nsrexecd.
II. Impact
A remote unauthenticated attacker may take any of the following actions:
Execute arbitrary commands on a NetWorker client system
View or modify the configuration of the NetWorker server
Cause a denial-of-service condition by altering the ports used by NetWorker
View files backed up by any other NetWorker client, regardless of file permissions
A local user may be able to gain elevated privileges on a system running NetWorker.
III. Solution
Apply a patch or upgrade
Apply a patch or upgrade, as specified in the EMC Legato Technical Product Alert.
Sun Solstice Backup and StorEdge Enterprise Backup customers should see Sun Alert 101866 for patch availability.
Restrict access
You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by NetWorker (typically TCP and UDP ports 7937-9936). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
Systems Affected
Vendor Status Date Updated
EMC Software Vulnerable 16-Aug-2005
Fujitsu Limited Vulnerable 24-Aug-2005
NEC Vulnerable 24-Aug-2005
Sun Microsystems, Inc. Vulnerable 19-Sep-2005
References
http://www.legato.com/support/websupport/product_alerts/081605_NW-7x.htm
http://www.legato.com/support/websupport/product_alerts/081605_NW_authentication.htm
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101886-1
http://www.legato.com/support/websupport/tech_bulletins/?includefile=388.html
http://www.legato.com/products/networker/
http://secunia.com/advisories/16464/
http://secunia.com/advisories/16470/
http://www.cnn.com/2005/TECH/internet/07/25/hackers.backup.software.reut/index.html
Credit
Thanks to the NOAA NCIRT Lab for reporting this vulnerability
We have been told from our security group that we have the following volnerability on our Legatto Networker (ver7.2) - where do I get the patches?
Vulnerability Note VU#606857
EMC Legato NetWorker uses weak AUTH_UNIX authentication
Overview
EMC Legato NetWorker uses weak AUTH_UNIX authentication, allowing a remote attacker to execute arbitrary commands, gain elevated privileges, or cause a denial of service.
I. Description
EMC Legato NetWorker is a cross-platform backup and recovery application. It is also repackaged by Sun Microsystems as Solstice Backup and StorEdge Enterprise Backup, by FSC as Fujitsu Siemens Computers' NetWorker, by NEC as WebSAM NetWorker Powered by Legato, and by Fujitsu as NetWorker.
NetWorker authentication
NetWorker uses the AUTH_UNIX authentication mechanism (a client-based security option) for its RPC service. This means the NetWorker software trusts that the remote system calling its RPC interface has already authenticated the remote client process via standard UNIX user id mechanisms (i.e., if a daemon only allows UID 0 [root] access to its RPC interface, it trusts remote RPC clients to be running with UID 0 [root] privileges).
NetWorker components
nwadmin and nsradmin are the administrative utilities for NetWorker. They can be used to view or modify the configuration of a NetWorker server. The NetWorker server grants administrative access based on an administrators list. nwadmin and nsradmin use getpwuid_r(getuid()) to determine the invoking user's name.
nsrports is used to specify the port ranges used by the NetWorker software. nsrports allows any user with an apparent username of "root" to set NetWorker port ranges.
The recover program is used to restore files that were backed up using the NetWorker software. recover determines what files may be accessed based on the UID of the user that calls the process.
nsrexec and nsrexecd are NetWorker components that provide functionality similar to rsh. nsrexec is a command that runs on the NetWorker server to send commands to the client systems. nsrexecd is a service that runs on the NetWorker client systems. nsrexecd executes commands on the client system that it receives from the NetWorker server. The combination of nsrexec and nsrexecd is what allows the NetWorker server to execute commands on the client remotely, such as initiating a backup process. The nsrexecd service uses RPC AUTH_UNIX to determine the identity of the user who will run the backup command.
The problem
The authentication mechanisms used by the various NetWorker components are weak. AUTH_UNIX authentication does not provide sufficient protection against attacks because it relies solely on the authentication credentials provided by the client. An attacker can spoof the user name to bypass the authentication mechanism used by nwadmin, nsradmin, and nsrports. An attacker can spoof the UID to bypass the authentication mechanism used by recover and nsrexecd.
II. Impact
A remote unauthenticated attacker may take any of the following actions:
Execute arbitrary commands on a NetWorker client system
View or modify the configuration of the NetWorker server
Cause a denial-of-service condition by altering the ports used by NetWorker
View files backed up by any other NetWorker client, regardless of file permissions
A local user may be able to gain elevated privileges on a system running NetWorker.
III. Solution
Apply a patch or upgrade
Apply a patch or upgrade, as specified in the EMC Legato Technical Product Alert.
Sun Solstice Backup and StorEdge Enterprise Backup customers should see Sun Alert 101866 for patch availability.
Restrict access
You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by NetWorker (typically TCP and UDP ports 7937-9936). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
Systems Affected
Vendor Status Date Updated
EMC Software Vulnerable 16-Aug-2005
Fujitsu Limited Vulnerable 24-Aug-2005
NEC Vulnerable 24-Aug-2005
Sun Microsystems, Inc. Vulnerable 19-Sep-2005
References
http://www.legato.com/support/websupport/product_alerts/081605_NW-7x.htm
http://www.legato.com/support/websupport/product_alerts/081605_NW_authentication.htm
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101886-1
http://www.legato.com/support/websupport/tech_bulletins/?includefile=388.html
http://www.legato.com/products/networker/
http://secunia.com/advisories/16464/
http://secunia.com/advisories/16470/
http://www.cnn.com/2005/TECH/internet/07/25/hackers.backup.software.reut/index.html
Credit
Thanks to the NOAA NCIRT Lab for reporting this vulnerability
No Events found!
ble1
6 Operator
•
14.4K Posts
•
56.2K Points
0
May 26th, 2007 11:00
tlemons1
1 Rookie
•
87 Posts
0
June 12th, 2007 07:00
I just used Nessus to test NetWorker for Linux V7.3.2 Jumbo 1. This NW version still has the Nessus-detected vulnerability: "Arbitrary code can be executed on the remote host". The first two links in the base posting of this thread are no longer viable. Is there a patch for this problem?
Thanks!
tl
ble1
6 Operator
•
14.4K Posts
•
56.2K Points
0
June 12th, 2007 10:00
tlemons1
1 Rookie
•
87 Posts
0
June 12th, 2007 11:00
ble1
6 Operator
•
14.4K Posts
•
56.2K Points
0
June 12th, 2007 14:00
tlemons1
1 Rookie
•
87 Posts
0
June 25th, 2007 10:00
tl
tlemons1
1 Rookie
•
87 Posts
0
June 25th, 2007 11:00
ble1
6 Operator
•
14.4K Posts
•
56.2K Points
0
June 25th, 2007 11:00
ble1
6 Operator
•
14.4K Posts
•
56.2K Points
0
June 25th, 2007 13:00