The vulnerability specifically affects master servers, media servers and clients of NetBackup versions 6.0, 5.1 and 5.0, that are remotely managed.
"An attacker, able to access a vulnerable NetBackup host and successfully exploit these issues, could potentially cause execution of arbitrary code resulting in possible unauthorized, elevated access to the targeted system," Symantec said in its alert. Put simply, an attacker could insert a command into the backup stream and execute another process, such as creating another copy of the data.
Symantec's security update and a patch for this issue can be found at:
Coincidentally, the alert comes a day after Symantec announced an encryption option for NetBackup that allows users to directly encrypt back ups on the media server instead of application servers.
The encryption module would prevent a malcious attacker gaining access to the data, according to Peter Allor, director of intelligence for IBM Internet Security Systems (ISS). "They could still gain access to the machine but would not be able see the data," he said. IBM's ISS division alerted Symantec to the latest vulnerabilities in NetBackup.
To enable the media server-based encryption, Symantec said users will need to pay a $10,000 flat fee for the key management software and pay for a license for the encryption engine itself. The latter will cost the same as a plain Media server license, i.e. starting from $5,000 for Windows, and $10,000 for Unix.
Jon Oltsik, senior analyst of information security at Enterprise Strategy Group, said the vulnerability demonstrates that users have to be diligent about monitoring bug tracking systems and patching servers besides just Windows. He said the industry will start to see attacks that take advantage of application and management software next year. "This places an added burden on vendors to test and monitor their code and users to keep up on maintenance," he added.