Veritas NetBackup 4.5.0/5.1/6.0 Volume Manager Daemon sscanf stack-based overflow
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.4 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical has been found in Veritas NetBackup 4.5.0/5.1/6.0. The affected element is the function sscanf of the component Volume Manager Daemon. Performing a manipulation results in stack-based overflow.
This vulnerability was named CVE-2006-0989. In addition, an exploit is available.
Details
A vulnerability, which was classified as critical, was found in Veritas NetBackup 4.5.0/5.1/6.0 (Backup Software). This affects the function sscanf of the component Volume Manager Daemon. The manipulation with an unknown input leads to a stack-based overflow vulnerability. CWE is classifying the issue as CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
Stack-based buffer overflow in the volume manager daemon (vmd) in Veritas NetBackup Enterprise Server 5.0 through 6.0 and DataCenter and BusinesServer 4.5FP and 4.5MP allows attackers to execute arbitrary code via unknown vectors.
The bug was discovered 12/20/2005. The weakness was presented 03/27/2006 by Sebastian Apelt with 3Com as confirmed advisory (CERT.org). It is possible to read the advisory at kb.cert.org. This vulnerability is uniquely identified as CVE-2006-0989 since 03/03/2006. The exploitability is told to be easy. It is possible to initiate the attack remotely. Required for exploitation is a authentication. Technical details and a exploit are known.
After 2 weeks, there has been an exploit disclosed. The exploit is shared for download at saintcorporation.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 97 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 38541 (VERITAS NetBackup Multiple Remote Buffer Overflow Vulnerabilities).
A possible mitigation has been published immediately after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 6405. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 3976.
The vulnerability is also documented in the databases at X-Force (25471), SecurityFocus (BID 17264†), OSVDB (24172†), Secunia (SA19417†) and SecurityTracker (ID 1015832†). See VDB-2112 and VDB-29344 for similar entries. Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.9VulDB Meta Temp Score: 9.4
VulDB Base Score: 9.9
VulDB Temp Score: 9.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Stack-based overflowCWE: CWE-121 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Saint ID: exploit_info/netbackup_vmd_arg
Saint Name: VERITAS NetBackup VMD argument parsing vulnerability
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Snort ID: 6405
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
SourceFire IPS: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
12/20/2005 🔍03/03/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/27/2006 🔍
03/28/2006 🔍
03/28/2006 🔍
03/29/2006 🔍
04/05/2006 🔍
03/12/2015 🔍
01/20/2025 🔍
Sources
Advisory: kb.cert.orgResearcher: Sebastian Apelt
Organization: 3Com
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2006-0989 (🔍)
GCVE (CVE): GCVE-0-2006-0989
GCVE (VulDB): GCVE-100-29343
CERT: 🔍
X-Force: 25471
SecurityFocus: 17264 - VERITAS NetBackup Multiple Remote Buffer Overflow Vulnerabilities
Secunia: 19417 - Veritas NetBackup Multiple Buffer Overflow Vulnerabilities, Moderately Critical
OSVDB: 24172 - VERITAS NetBackup Volume Manager Daemon (vmd.exe) Unspecified Remote Overflow
SecurityTracker: 1015832
Vulnerability Center: 10825 - Veritas NetBackup Stack Overflow via Volume Manager Daemon (vmd), High
Vupen: ADV-2006-1124
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 03/12/2015 12:19Updated: 01/20/2025 04:04
Changes: 03/12/2015 12:19 (80), 11/21/2018 04:38 (16), 01/20/2025 04:04 (18)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.