CVE-2005-3659 in Legato NetWorker
Summary
by MITRE
nsrd.exe in EMC Legato NetWorker 7.1.x before 7.1.4 and 7.2.x before 7.2.1.Build.314, and other products such as Sun Solstice Backup (SBU) 6.0 and 6.1 and StorEdge Enterprise Backup Software (EBS) 7.1 through 7.2L, allows remote attackers to cause a denial of service (nsrd service crash) via a malformed RPC request to RPC program number 390109, which triggers a null dereference.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/15/2019
The vulnerability identified as CVE-2005-3659 represents a critical remote denial of service flaw affecting multiple enterprise backup solutions including EMC Legato NetWorker, Sun Solstice Backup, and StorEdge Enterprise Backup Software. This vulnerability specifically targets the nsrd.exe daemon component that handles remote procedure calls for backup operations. The flaw manifests when the system receives a malformed RPC request directed at RPC program number 390109, which triggers an exploitable null pointer dereference condition within the application's memory management routines.
The technical implementation of this vulnerability stems from inadequate input validation within the RPC processing framework of these backup applications. When the nsrd service receives a specially crafted RPC request with malformed parameters, the application fails to properly validate the incoming data structure before attempting to dereference pointers within the request handling code. This particular RPC program number 390109 serves as the designated interface for backup operations within these systems, making it a prime target for exploitation. The null dereference occurs because the application attempts to access memory at address zero or an uninitialized pointer, causing the service to crash and terminate unexpectedly.
The operational impact of this vulnerability extends beyond simple service disruption as it affects critical backup infrastructure that organizations rely upon for data protection and recovery operations. When the nsrd service crashes, all backup operations halt immediately, potentially leaving systems in an unprotected state while administrators work to restore the service. This vulnerability is particularly dangerous in enterprise environments where backup windows are tight and automated backup schedules are critical for maintaining data integrity. The remote nature of the attack means that malicious actors can exploit this flaw without requiring physical access to the systems, making it a significant threat vector for unauthorized disruption of backup operations. Organizations with multiple backup servers running affected versions could experience cascading failures if the vulnerability is exploited across their infrastructure.
Mitigation strategies for this vulnerability require immediate patch application from vendors, as the flaw was addressed through code modifications that implement proper input validation for RPC requests. System administrators should prioritize updating all affected versions of EMC Legato NetWorker, Sun Solstice Backup, and StorEdge Enterprise Backup Software to their patched releases. Network segmentation and firewall rules can provide temporary protection by restricting access to RPC program number 390109, though this approach does not eliminate the underlying vulnerability. The vulnerability aligns with CWE-476, which describes null pointer dereference conditions, and represents a classic example of how improper input validation can lead to service availability compromise. From an ATT&CK framework perspective, this vulnerability maps to T1499.004, specifically covering the exploitation of backup systems for denial of service, and demonstrates how attackers can leverage legitimate system interfaces to disrupt critical infrastructure operations. Organizations should also implement monitoring for unusual RPC traffic patterns and establish incident response procedures specifically addressing backup service disruptions to minimize the impact of such exploits.