Symantec NetBackup PureDisk Security Flaw

"NetBackup PureDisk Remote Office Edition offers storage and bandwidth-optimized data protection for remote offices while PureDisk uses disk-based backup technology to enable companies to eliminate the risk and cost of tape from remote offices," as Symantec says.

"Symantec has released an update to address a security concern in PHP, a commonly used HTML-embedded scripting language, for Symantec's Veritas NetBackup 6.0 PureDisk Remote Office Edition. A heap overflow has been reported in the version of PHP shipped with the affected product builds listed below.

The management interface of Symantec's product is accessible only through an SSL connection by default. Depending on configuration, however; an unauthorized user could potentially attempt to execute arbitrary code in the context of the vulnerable server, which runs in non-privileged mode by default," Symantec said in a security advisory.

Secunia rated the flaw "highly critical" and said the solution is to apply the vendor patch. Symantec said that a patch was published and the only affected product is Symantec Veritas NetBackup PureDisk Remote Office Edition version 6.0.

"Symantec engineers have addressed the reported issue and provided Security updates. Symantec strongly recommends all customers apply the latest security update identified above or upgrade to Symantec Veritas NetBackup PureDisk Remote Office Edition 6.1 to protect against threats of this nature. Symantec knows of no exploitation of or adverse customer impact from this issue," the company responded.