Symantec flaw found by TippingPoint bounty hunters

Summary:A flaw in Symantec's Veritas NetBackup series has been found and patched through a TippingPoint initiative

A security flaw in Veritas's NetBackup application has been found and patched through an initiative run by TippingPoint that pays security researchers who find and report bugs.

TippingPoint, a subsidiary of 3Com, announced the first fruits of its Zero Day Initiative (ZDI) on Thursday. Through ZDI, TippingPoint rewards security researchers who inform 3Com of vulnerabilities and do not publicly disclose them before the vendor has issued a patch.

3Com reported the potential threat to Veritas parent company Symantec on 12 September. Symantec went public with the flaw and issued a patch a month later, on 12 October.

But according to TippingPoint, 3Com customers using its intrusion prevention systems were issued protection against the Symantec vulnerability almost immediately, and -- unlike other Symantec customers -- have been protected against the flaw for the past month.

TippingPoint says it was was tipped off about the vulnerability by an independent researcher. It affects NetBackup 4.5, 5.0, 5.1 and 6.0, running on all platforms and all versions.

An attacker could potentially remotely exploit a format string overflow vulnerability in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients. The attacker could then execute arbitrary code.

"The problem with this vulnerability is it's not only running on all the desktops, but, even worse, if a malicious hacker gets into the backup server, they have access to all your backup information," said Johannes Ullrich, chief research officer for the SANS Institute.

Under ZDI, 3Com will reward security researchers who inform them about "zero day vulnerabilities". These are vulnerabilities "that are unknown and for which there is no patch," 3Com said.

CNET News.com's Dawn Kawamoto contributed to this report.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.