This issue can be exploited by a remote attacker with the ability to run arbitrary commands with root privileges. The attacker must be able to run commands as root on the system where NetBackup is installed. This can be achieved by installing a root SSH server on the network, or by arranging for an attacker to log in to the system as root. The DiscoveryService service is used only by NetBackUp to discover dependencies on other components. As such, DiscoveryService is exposed to the network and can be probed by an attacker. This is not a vulnerability in the DiscoveryService code itself. The DiscoveryService code is available to all NetBackup customers. The issue is a result of the DiscoveryService service using the hostname of the system as the source of data. As such, DiscoveryService can be probed by an attacker, who will receive a response containing the system’s hostname. The hostname may be used to launch an attack against the system, such as sending an email with a malicious link or launching a Web request for root login access. This issue can be exploited whenever DiscoveryService is used. Because NetBackup is a critical service on most systems, it is a likely target for such an attack. End users are not likely to be aware of DiscoveryService and likely not to understand the risk in using DiscoveryService on a production system. An attacker must have root access to the system in order to exploit this issue. However, since DiscoveryService is used by other services
Vulnerability discovered by Isac Company com .
In order to exploit this vulnerability, an attacker must be able to run commands as root on the system where NetBackup is installed. This can be achieved by installing a root SSH server on the network, or by arranging for an attacker to log in to the system as root. The DiscoveryService service is used only by NetBackup to discover dependencies on other components. As such, DiscoveryService is exposed to the network and can be probed by an attacker.
This issue can be exploited whenever DiscoveryService is used. Because NetBackup is a critical service on most systems, it is a likely target for such an attack. End users are not likely to be aware of DiscoveryService and likely not to understand the risk in using DiscoveryService on a production system. An attacker must have root access to the system in order to exploit this issue. However, since DiscoveryService is used by other services, which may expose it back onto the network, it's possible that others could exploit this vulnerability without requiring any privilege escalation privileges at all!
How Does DiscoveryService Use the Hostname?
DiscoveryService uses the hostname of the system as the source of data. In other words, DiscoveryService looks for dependencies on other components on that system. A typical example is where a service on one system has a dependency on another component on another system. An attacker can issue a command to DiscoveryService as root, which causes it to probe the network for systems that have this dependency, and return information about these systems.
Vulnerable package versions
NetBackup versions up to and including 11.1.4 are vulnerable.
Dependencies
The DiscoveryService service is used only by NetBackup to discover dependencies on other components. As such, DiscoveryService is exposed to the network and can be probed by an attacker. This is not a vulnerability in the DiscoveryService code itself. The DiscoveryService code is available to all NetBackup customers. The issue is a result of the DiscoveryService service using the hostname of the system as the source of data. As such, DiscoveryService can be probed by an attacker, who will receive a response containing the system’s hostname. The hostname may be used to launch an attack against the system, such as sending an email with a malicious link or launching a Web request for root login access.
DiscoveryService is not vulnerable
The DiscoveryService service is not vulnerable. The issue is a result of the DiscoveryService service using the hostname of the system as the source of data. As such, DiscoveryService can be probed by an attacker, who will receive a response containing the system’s hostname. The hostname may be used to launch an attack against the system, such as sending an email with a malicious link or launching a Web request for root login access. This issue can be exploited whenever DiscoveryService is used. Because NetBackup is a critical service on most systems, it is a likely target for such an attack. End users are not likely to be aware of DiscoveryService and likely not to understand the risk in using DiscoveryService on a production system. An attacker must have root access to the system in order to exploit this issue. However, since DiscoveryService is used by other services that rely on it like NetBackup, there is no way for attackers to know when they might be able to exploit this issue.
Timeline
Published on: 10/03/2022 15:15:00 UTC
Last modified on: 10/04/2022 20:32:00 UTC