1. Introduction
VERITAS Backup Agent Detection indicates a backup agent is running on a remote host. This means the Network Data Management Protocol (NDMP) is in use, potentially creating an attack surface if not properly secured. Systems commonly affected are servers running VERITAS NetBackup or similar backup solutions. A successful exploit could compromise confidentiality, integrity and availability of backed-up data.
2. Technical Explanation
The vulnerability stems from the presence of a Backup Agent utilising NDMP. Attackers can potentially exploit NDMP to gain unauthorised access to backups and the underlying host system. Preconditions include network connectivity to the agent and, in some cases, default or weak credentials. There is no known CVE associated with this detection alone; however, specific exploits targeting NDMP implementations exist.
- Root cause: The use of NDMP introduces a separate data path that may not be subject to the same security controls as other system services.
- Exploit mechanism: An attacker could attempt to connect to the NDMP service and leverage vulnerabilities in its implementation to execute arbitrary commands or access sensitive data. For example, an attacker might exploit a buffer overflow vulnerability within the NDMP protocol handler.
- Scope: Affected platforms include servers running VERITAS NetBackup with enabled NDMP functionality. Specific versions depend on the NetBackup release.
3. Detection and Assessment
Confirming the presence of the agent is the first step in assessing risk. A quick check can identify if the service is running, while a thorough method involves examining process lists and network listeners.
- Quick checks: Use the following command to list processes containing “ndmp”:
ps -ef | grep ndmp - Scanning: Nessus plugin ID 139285 may identify NDMP services. This is an example only, and results should be verified.
- Logs and evidence: Check VERITAS NetBackup logs for entries related to NDMP connections or activity. Log locations vary by installation but are typically found in /opt/netbackup/logs or similar directories.
ps -ef | grep ndmp4. Solution / Remediation Steps
The following steps outline how to mitigate the risk associated with a running Backup Agent using NDMP.
4.1 Preparation
- Dependencies include access to the NetBackup management console and appropriate permissions. A roll back plan involves restoring the NetBackup configuration from backup.
- A change window may be required, especially for production systems. Approval should be obtained from the system owner or security team.
4.2 Implementation
- Step 1: Disable NDMP functionality within the NetBackup management console if it is not actively used.
- Step 2: If NDMP must remain enabled, ensure strong authentication and access controls are in place.
- Step 3: Review NetBackup configuration to restrict NDMP access to only authorized hosts.
4.3 Config or Code Example
Before
# NDMP enabled with default settings (example)
ndmp_enabled = true
access_control = allAfter
# NDMP disabled or restricted access
ndmp_enabled = false
access_control = 192.168.1.0/24 # Restrict to specific network only if needed.4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent issues related to NDMP and backup agents.
- Practice 1: Least privilege – restrict access to the NetBackup management console and NDMP service to only authorized personnel.
- Practice 2: Secure defaults – configure NetBackup with strong default settings, including password complexity and encryption.
4.5 Automation (Optional)
# Example Ansible snippet to disable NDMP (use with caution!)
- name: Disable NDMP in NetBackup configuration
lineinfile:
path: /opt/netbackup/config/ndmp.conf # Adjust path as needed
regexp: '^ndmp_enabled = true$'
line: 'ndmp_enabled = false'
become: yes5. Verification / Validation
Confirming the fix involves verifying that NDMP is disabled or properly restricted.
- Post-fix check: Run
ps -ef | grep ndmpagain; no processes containing “ndmp” should be listed if it has been disabled. - Re-test: Re-run the initial detection method to confirm that NDMP is no longer accessible or identified as a risk.
- Monitoring: Monitor NetBackup logs for any unexpected NDMP activity or connection attempts.
ps -ef | grep ndmp6. Preventive Measures and Monitoring
Several measures can help prevent similar issues in the future.
- Baselines: Update your security baseline to include a requirement for disabling unnecessary NDMP functionality or enforcing strong access controls.
- Pipelines: Incorporate configuration checks into your CI/CD pipeline to ensure that NetBackup is configured securely.
- Asset and patch process: Implement a regular patch management cycle for NetBackup to address known vulnerabilities.
7. Risks, Side Effects, and Roll Back
Disabling NDMP may impact backup functionality if it is actively used.
- Risk or side effect 1: Disabling NDMP could interrupt backups that rely on the protocol. Mitigation involves carefully planning the change during a maintenance window.
- Risk or side effect 2: Incorrect configuration changes could lead to data loss or corruption. Mitigation involves testing changes in a non-production environment first.
- Roll back: Restore the NetBackup configuration from backup if any issues occur. Re-enable NDMP functionality and verify that backups are functioning correctly.
8. References and Resources
- Vendor advisory or bulletin: Veritas NetBackup Documentation
- NVD or CVE entry: No specific CVE is associated with this detection alone, but search for NDMP vulnerabilities on the NVD website (https://nvd.nist.gov/).
- Product or platform documentation relevant to the fix: Veritas NetBackup Support