1. Introduction
VERITAS NetBackup Agent Detection indicates that backup software is running on a remote port. This service, used by the NetBackup Java Console GUI to manage the backup server, presents a risk as an authorized user could potentially use it as a remote shell with system privileges. Systems typically affected are those running VERITAS NetBackup clients and servers. A successful exploit could compromise confidentiality, integrity, and availability of backed-up data and the host itself.
2. Technical Explanation
The vulnerability stems from allowing command execution via messages sent to the NetBackup Java Console service. An attacker who can connect to this service can send a ‘command_EXEC_LIST’ message, which is then executed with system privileges on the remote host. There is no known CVE associated with this specific detection at the time of writing. A realistic example would be an attacker sending commands to list files, modify data, or install malicious software.
- Root cause: The NetBackup Java Console service allows unvalidated command execution through the ‘command_EXEC_LIST’ message.
- Exploit mechanism: An attacker connects to the service and sends a crafted ‘command_EXEC_LIST’ message containing their desired command. This command is then executed with system privileges.
- Scope: Affected platforms are those running VERITAS NetBackup clients, typically Windows, Linux, and Solaris systems. Specific versions depend on the NetBackup installation.
3. Detection and Assessment
To confirm vulnerability, first check for the presence of the service. A thorough assessment involves attempting to send a test command.
- Quick checks: Use the following command on Windows to list running services:
tasklist /FI "IMAGENAME eq javaw.exe"Look for entries containing ‘NetBackup Java Console’. On Linux, useps aux | grep netbackup - Scanning: Nessus plugin ID 16384 may identify this issue as a potential vulnerability. This is provided as an example only.
- Logs and evidence: Check the NetBackup logs located in
/logs/javaconsole
tasklist /FI "IMAGENAME eq javaw.exe"4. Solution / Remediation Steps
The following steps outline how to mitigate this vulnerability.
4.1 Preparation
- Ensure you have administrative credentials for the affected systems. A roll back plan involves restoring from the pre-change backup and restarting the service.
- A change window is recommended due to potential disruption of backup operations. Approval should be obtained from the IT Backup team lead.
4.2 Implementation
- Step 1: Disable remote access to the NetBackup Java Console service if it’s not required. This can be done through Windows Firewall or equivalent on other platforms.
- Step 2: Restrict network access to the service using firewall rules, allowing only authorized hosts to connect.
- Step 3: Review and update NetBackup security settings to enforce strong authentication and authorization for all connections.
4.3 Config or Code Example
Before
# No firewall rules blocking access to NetBackup Java Console port (e.g., 7915)After
# Windows Firewall rule blocking inbound connections to NetBackup Java Console port except from trusted IPs:
New-NetFirewallRule -DisplayName "Block NetBackup Java Console Access" -Direction Inbound -Protocol TCP -LocalPort 7915 -RemoteAddress /32 -Action Block 4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of issue.
- Practice 1: Least privilege – limit user access rights to only what is necessary, reducing the impact if an account is compromised.
- Practice 2: Network segmentation – isolate critical systems and services from untrusted networks to reduce attack surface.
- Practice 3: Secure defaults – configure services with strong security settings by default, minimizing the need for manual configuration.
4.5 Automation (Optional)
# Example PowerShell script to block NetBackup Java Console port on multiple servers:
$servers = @("server1", "server2", "server3") # Replace with your server list
foreach ($server in $servers) {
Write-Host "Blocking NetBackup Java Console access on $server..."
New-NetFirewallRule -DisplayName "Block NetBackup Java Console Access" -Direction Inbound -Protocol TCP -LocalPort 7915 -RemoteAddress /32 -Action Block -ComputerName $server
} 5. Verification / Validation
Confirm the fix by checking firewall rules and attempting to connect to the service from an unauthorized host.
- Post-fix check: Use
Get-NetFirewallRule -DisplayName "Block NetBackup Java Console Access"on Windows to verify the rule is present. - Re-test: Attempt to connect to the NetBackup Java Console service from a non-trusted host. The connection should be blocked by the firewall.
- Smoke test: Verify that authorized users can still manage backups through the NetBackup GUI.
- Monitoring: Monitor firewall logs for blocked connections on port 7915 as an example of regression detection.
Get-NetFirewallRule -DisplayName "Block NetBackup Java Console Access"6. Preventive Measures and Monitoring
Update security baselines and implement checks in CI/CD pipelines to prevent similar issues.
- Baselines: Update your security baseline or policy to include a requirement for restricting network access to critical services like NetBackup Java Console.
- Asset and patch process: Implement a regular review cycle for security settings on all systems, including NetBackup components.
7. Risks, Side Effects, and Roll Back
Blocking access to the service may disrupt backup operations if legitimate users or systems are blocked.
- Risk or side effect 2: False positives – carefully configure firewall rules to avoid blocking legitimate traffic.
- Roll back: Remove the firewall rule created in Step 1 and restart the NetBackup Java Console service if necessary. Restore from backup if issues persist.
8. References and Resources
- Vendor advisory or bulletin:
- NVD or CVE entry: No specific CVE currently exists for this detection.
- Product or platform documentation relevant to the fix: