Veritas NetBackup 4.5.0/5.1/6.0 Catalog Daemon bpdbm.exe sprintf stack-based overflow
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.7 | $0-$5k | 0.00 |
Summary
A vulnerability described as critical has been identified in Veritas NetBackup 4.5.0/5.1/6.0. Affected by this vulnerability is the function sprintf of the file bpdbm.exe of the component Catalog Daemon. The manipulation results in stack-based overflow.
This vulnerability is reported as CVE-2006-0990. Moreover, an exploit is present.
Applying a patch is advised to resolve this issue.
Details
A vulnerability was found in Veritas NetBackup 4.5.0/5.1/6.0 (Backup Software). It has been classified as critical. Affected is the function sprintf of the file bpdbm.exe of the component Catalog Daemon. The manipulation with an unknown input leads to a stack-based overflow vulnerability. CWE is classifying the issue as CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
Stack-based buffer overflow in the NetBackup Catalog daemon (bpdbm) in Veritas NetBackup Enterprise Server 5.0 through 6.0 and DataCenter and BusinesServer 4.5FP and 4.5MP allows attackers to execute arbitrary code via unknown vectors.
The bug was discovered 01/24/2006. The weakness was disclosed 03/28/2006 by Sebastian Apelt with 3Com (Website). The advisory is shared for download at securityresponse.symantec.com. The public release has been coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2006-0990 since 03/03/2006. It is possible to launch the attack remotely. The requirement for exploitation is a authentication. Technical details and a private exploit are known.
It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 62 days. During that time the estimated underground price was around $25k-$100k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 38541 (VERITAS NetBackup Multiple Remote Buffer Overflow Vulnerabilities).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at support.veritas.com. A possible mitigation has been published before and not just after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 4095.
The vulnerability is also documented in the databases at X-Force (25472), SecurityFocus (BID 17264†), OSVDB (24171†), Secunia (SA19417†) and SecurityTracker (ID 1015832†). The entries VDB-29344 and VDB-29343 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 5.7
VulDB Base Score: 6.3
VulDB Temp Score: 5.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Stack-based overflowCWE: CWE-121 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Private
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: support.veritas.com
TippingPoint: 🔍
SourceFire IPS: 🔍
Timeline
01/24/2006 🔍03/03/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/28/2006 🔍
03/28/2006 🔍
03/28/2006 🔍
03/29/2006 🔍
03/29/2006 🔍
06/22/2025 🔍
Sources
Advisory: securityresponse.symantec.comResearcher: Sebastian Apelt
Organization: 3Com
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2006-0990 (🔍)
GCVE (CVE): GCVE-0-2006-0990
GCVE (VulDB): GCVE-100-2112
CERT: 🔍
X-Force: 25472 - Symantec VERITAS NetBackup Database Manager bpdbm.exe sprintf() buffer overflow, High Risk
SecurityFocus: 17264 - VERITAS NetBackup Multiple Remote Buffer Overflow Vulnerabilities
Secunia: 19417 - Veritas NetBackup Multiple Buffer Overflow Vulnerabilities, Moderately Critical
OSVDB: 24171 - VERITAS NetBackup Catalog Daemon (bpdbm.exe) Unspecified Remote Overflow
SecurityTracker: 1015832
Vulnerability Center: 10826 - Veritas NetBackup Stack Overflow via Catalog Daemon (bpdbm), High
Vupen: ADV-2006-1124
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 03/29/2006 14:09Updated: 06/22/2025 21:09
Changes: 03/29/2006 14:09 (90), 11/21/2018 04:36 (3), 01/20/2025 04:04 (18), 06/22/2025 21:09 (2)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.