SecurityTracker: (Sun Issues Fix for StorEdge) Legato NetWorker AUTH_UNIX, Database, and Portmapper Authentication Can Be Bypassed By Remote Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > StorEdge Enterprise Products

(Sun Issues Fix for StorEdge) Legato NetWorker AUTH_UNIX, Database, and Portmapper Authentication Can Be Bypassed By Remote Users

SecurityTracker Alert ID: 1014717

SecurityTracker URL: http://securitytracker.com/id/1014717

CVE Reference: CVE-2005-0357, CVE-2005-0358, CVE-2005-0359 (Links to External Site)

Updated: Sep 7 2005

Original Entry Date: Aug 17 2005

Impact: Disclosure of system information, Disclosure of user information, Root access via local system, Root access via network, User access via local system, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Description: Several vulnerabilities were reported in Legato NetWorker in the authentication mechanism. A remote user may be able to bypass the authentication process. Sun StorEdge Enterprise Backup Software is affected.

The AUTH_UNIX authentication mechanism used for RPC service authentication does not sufficiently authenticate remote users [CVE-2005-0357]. A remote user can spoof the username to bypass the authentication mechanism used by nwadmin, nsradmin, and nsrports. A remote user can also spoof the UID to bypass the authentication mechanism used by recover and nsrexecd.

As a result, a remote user can execute arbitrary commands on the target client system, view or modify the server configuration, modify the ports used by NetWorker, and view files that have been backed up by other NetWorker clients. A local user may also be able to gain elevated privileges on the target system.

A remote user can modify the database access token to gain administrative privileges [CVE-2005-0358]. This allows the remote user to execute arbitrary commands on the target NetWorker server with root privileges and to compromise target NetWorker clients.

A remote user can access the Legato PortMapper (lgtomapper) and issue pmap_set and pmap_unset calls [CVE-2005-0358]. A remote user can unregister existing NetWorker RPC services or register new RPC services. This may cause denial of service conditions or may allow the user to monitor NetWorker process communications.

The vendor's advisories are available at:

http://www.legato.com/support/websupport/product_alerts/081605_NW_authentication.htm
http://www.legato.com/support/websupport/product_alerts/081605_NW_token_authentication.htm
http://www.legato.com/support/websupport/product_alerts/081605_NW_port_mapper.htm

Impact: A remote user can execute arbitrary commands on the target client system, view or modify the server configuration, modify the ports used by NetWorker, and view files that have been backed up by other NetWorker clients.

A remote user can execute arbitrary commands on the target NetWorker server with root privileges.

A remote user can cause denial of service conditions.

A remote user can monitor NetWorker process communications.

A local user may be able to gain elevated privileges on the target system.

Solution: Sun reported that the following Sun products are affected by the Legato NetWorker vulnerabilities:

SPARC Platform

* Solstice Backup (SBU) 6.0
* Solstice Backup (SBU) 6.1
* Sun StorEdge Enterprise Backup Software (EBS) 7.0
* Sun StorEdge Enterprise Backup Software (EBS) 7.1
* Sun StorEdge Enterprise Backup Software (EBS) 7.1L
* Sun StorEdge Enterprise Backup Software (EBS) 7.2

x86 Platform

* Solstice Backup (SBU) 6.0
* Solstice Backup (SBU) 6.1
* Sun StorEdge Enterprise Backup Software (EBS) 7.0
* Sun StorEdge Enterprise Backup Software (EBS) 7.1
* Sun StorEdge Enterprise Backup Software (EBS) 7.2

Sun has issued the following fixes:

SPARC Platform

Sun StorEdge Enterprise Backup Software (EBS) 7.1 with patch 119670-01 or later
Sun StorEdge Enterprise Backup Software (EBS) 7.1L with patch 120649-01 or later
Sun StorEdge Enterprise Backup Software (EBS) 7.2 32-bit version with patch 116831-01 or later
Sun StorEdge Enterprise Backup Software (EBS) 7.2 64-bit version with patch 116832-01 or later
Sun StorEdge Enterprise Backup Software (EBS) 7.2L with patch 116834-01 or later

x86 Platform

Sun StorEdge Enterprise Backup Software (EBS) 7.1 with patch 119671-01 or later
Sun StorEdge Enterprise Backup Software (EBS) 7.2 with patch 116833-01 or later

Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-26-101886-1 (Links to External Site)

Cause: Authentication error

Underlying OS: UNIX (Solaris - SunOS)

Message History: This archive entry is a follow-up to the message listed below.

Legato NetWorker AUTH_UNIX, Database, and Portmapper Authentication Can Be Bypassed By Remote Users

Source Message Contents

Date: Wed, 17 Aug 2005 00:16:43 -0400
Subject: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101886-1



# Sun Alert ID: 101886
# Synopsis: Security Vulnerabilities in the Sun StorEdge Enterprise Backup Software
# Category: Security
#
Product: Sun StorEdge Enterprise Backup Software 7.2, Sun StorEdge Enterprise Backup Software 7.0, Solstice Backup 6.0 Software, Solstice Backup 6.1 Software, Sun StorEdge Enterprise Backup Software 7.1
# BugIDs: 6299292, 6299296, 6299285
# Avoidance: None
# State: Workaround
# Date Released: 16-Aug-2005
# Date Closed:
# Date Modified:

CAN-2005-0357, CAN-2005-0358, CAN-2005-0359

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC