COMMAND

    Netbackup

SYSTEMS AFFECTED

    Veritas Netbackup

PROBLEM

    Scott Parks found  following.  This  has been tested  on Solaris 7
    with NetBackup-Solaris2.6 3.2GA.  This DoS can cause a remote host
    running Veritas Netbackup client to fully utilize it's cpu(s).

    Here's the DoS.   Run multiple nc  (netcat) commands using  a full
    range of ports  from some remote  host against a  host running the
    netbackup client.  Such as:

        # nc -z -n -w 10 ip_host_to_attack 1-65535
        # nc -z -n -w 10 ip_host_to_attack 1-65535
        # nc -z -n -w 10 ip_host_to_attack 1-65535

    You need to run  n+1 netcats, where n  is the number of  cpu's, to
    use all available  cpu's on a  box.  So,  a 2 processor  box would
    require 3 netcats.

    The offending process is  bpjava-msvc.  It's run  from inetd.conf.
    The  exact  reason  this   is  happening  is  unclear.    However,
    bpjava-msvc  opens  on  it's  port  defined  in /etc/services, via
    inetd, then  apparently opens  a arbitrary  higher numbered  port.
    netcat then  connects to  this port.   The higher  numbered  ports
    must not be blocked between the 2 hosts.

SOLUTION

    The  'bpjava-msvc'  service  is  part  of NetBackup's Java console
    interface and is  required for both  local and remote  control via
    the Java interface.   It installs to  /etc/services as  13722/tcp.
    For *IX systems,  where it is  run from inetd,  using tcp_wrappers
    to only allow connections  from designated systems (say  the local
    media and database  server(s)) to that  port.  The  other thing to
    do would  be to  simply disable  Java services  altogether and use
    the X11 administration interface  (`xnb`).  NT/2000 systems  would
    be pretty much  the same if  they are affected  by this.   Veritas
    uses its own version of inetd ("bpinetd.exe" by default) to manage
    the  bp/volmgr  processes  for  NT,  but  we  can't  find anything
    equivalent to inetd.conf.   The thing to  do there would  probably
    be to use NT's built-in TCP/IP filtering rules to restrict  access
    to  13722/tcp  to  only  machines  that  need  it  or  use  Legato
    Networker.