Veritas issues patch for NetBackup flaw

The vulnerability in question could let malicious attackers gain remote access to information stored on backup servers.

For Veritas, owned by security-software giant Symantec, this latest flaw in its backup software is the third occurrence in less than four months. In this most case, however, the vulnerability not only affects the server but also users' clients, said Johannes Ullrich, chief research officer for the SANS Institute.

NetBackup 4.5, 5.0, 5.1 and 6.0, running on all platforms and all versions, are affected by the vulnerability, according to a posting on Veritas' support site.

A malicious attacker could remotely exploit a flaw in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients. The attacker potentially could then execute code.

"The problem with this vulnerability is it's not only running on all the desktops, but, even worse, if a malicious hacker gets into the backup server, they have access to all your backup information," Ullrich said.

Though no exploit code has been found, hackers are laying the groundwork needed to take advantage of the flaw once exploit code is available, Ullrich noted. Hackers are scanning a far more computer systems to ascertain if the systems are vulnerable.

He added that users, especially those who experienced a fallout several months ago from the earlier Veritas vulnerability, are likely to patch the most recent flaw quickly.

"A few months ago, there was a similar (Veritas) backup problem that was widespread and caused a lot of headaches," Ullrich said. "People who didn't patch quickly last time will do it much faster this time."