COMMAND
Netbackup
SYSTEMS AFFECTED
Veritas Netbackup
PROBLEM
Scott Parks found following. This has been tested on Solaris 7
with NetBackup-Solaris2.6 3.2GA. This DoS can cause a remote host
running Veritas Netbackup client to fully utilize it's cpu(s).
Here's the DoS. Run multiple nc (netcat) commands using a full
range of ports from some remote host against a host running the
netbackup client. Such as:
# nc -z -n -w 10 ip_host_to_attack 1-65535
# nc -z -n -w 10 ip_host_to_attack 1-65535
# nc -z -n -w 10 ip_host_to_attack 1-65535
You need to run n+1 netcats, where n is the number of cpu's, to
use all available cpu's on a box. So, a 2 processor box would
require 3 netcats.
The offending process is bpjava-msvc. It's run from inetd.conf.
The exact reason this is happening is unclear. However,
bpjava-msvc opens on it's port defined in /etc/services, via
inetd, then apparently opens a arbitrary higher numbered port.
netcat then connects to this port. The higher numbered ports
must not be blocked between the 2 hosts.
SOLUTION
The 'bpjava-msvc' service is part of NetBackup's Java console
interface and is required for both local and remote control via
the Java interface. It installs to /etc/services as 13722/tcp.
For *IX systems, where it is run from inetd, using tcp_wrappers
to only allow connections from designated systems (say the local
media and database server(s)) to that port. The other thing to
do would be to simply disable Java services altogether and use
the X11 administration interface (`xnb`). NT/2000 systems would
be pretty much the same if they are affected by this. Veritas
uses its own version of inetd ("bpinetd.exe" by default) to manage
the bp/volmgr processes for NT, but we can't find anything
equivalent to inetd.conf. The thing to do there would probably
be to use NT's built-in TCP/IP filtering rules to restrict access
to 13722/tcp to only machines that need it or use Legato
Networker.