>Possible DoS for hosts running Veritas Netbackup Client
>
>Tested OS: solaris 7
>Netbackup Version: NetBackup-Solaris2.6 3.2GA
>
>Cause a remote host running Veritas Netbackup client to
>fully utilize it's cpu(s).
>
>Here's the DoS. Run multiple nc (netcat) commands using a full
>range of ports from some remote host against a host running
>the netbackup client. Such as:
>
> # nc -z -n -w 10 ip_host_to_attack 1-65535
> # nc -z -n -w 10 ip_host_to_attack 1-65535
> # nc -z -n -w 10 ip_host_to_attack 1-65535
>
>You need to run n+1 netcats, where n is the number of cpu's, to use
>all available cpu's on a box. So, a 2 processor box would require
>3 netcats. I'm sure there's a more elegant way of doing this.
>
>The offending process is bpjava-msvc. It's run from inetd.conf. The
>exact reason this is happening is unclear. However, bpjava-msvc opens
>on it's port defined in /etc/services, via inetd, then apparently opens
>a arbitrary higher numbered port. netcat then connects to this port.
>I don't care to speculate what happens next, because I don't know.
>
>The higher numbered ports must not be blocked between the 2 hosts.
>
>Scott Parks
I was unable to reproduce this on the following systems with the
'bpjava-msvc' service running:
Windows 2000 Server, NetBackup 3.4, server
Windows 2000 Server, NetBackup 3.4, client
Novell IntraNetWare 4.11, NetBackup 3.4, client
AIX 4.3, NetBackup 3.4, server
AIX 4.3, NetBackup 3.4, client
HP/UX 10.20, NetBackup 3.4, client
Solaris 2.6, NetBackup 3.4, client
That's not to say that it's fixed in 3.4, but there may be more to the
equation than just having bpjava-msvc running.
The 'bpjava-msvc' service is part of NetBackup's Java console interface
and is required for both local and remote control via the Java interface.
It installs to /etc/services as 13722/tcp. For *IX systems, where it is
run from inetd, using tcp_wrappers to only allow connections from
designated systems (say the local media and database server(s)) to that
port. The other thing to do would be to simply disable Java services
altogether and use the X11 administration interface (`xnb`). NT/2000
systems would be pretty much the same if they are affected by this.
Veritas uses its own version of inetd ("C:\Program
Files\VERITAS\NetBackup\bin\bpinetd.exe" by default) to manage the
bp/volmgr processes for NT, but I can't find anything equivalent to
inetd.conf. The thing to do there would probably be to use NT's built-in
TCP/IP filtering rules to restrict access to 13722/tcp to only machines
that need it.
PaulM
