Symantec flaw found by TippingPoint bounty hunters

Symantec flaw found by TippingPoint bounty hunters

Summary: A flaw in Symantec's Veritas NetBackup series has been found and patched through a TippingPoint initiative

SHARE:
TOPICS: Security
1

A security flaw in Veritas's NetBackup application has been found and patched through an initiative run by TippingPoint that pays security researchers who find and report bugs.

TippingPoint, a subsidiary of 3Com, announced the first fruits of its Zero Day Initiative (ZDI) on Thursday. Through ZDI, TippingPoint rewards security researchers who inform 3Com of vulnerabilities and do not publicly disclose them before the vendor has issued a patch.

3Com reported the potential threat to Veritas parent company Symantec on 12 September. Symantec went public with the flaw and issued a patch a month later, on 12 October.

But according to TippingPoint, 3Com customers using its intrusion prevention systems were issued protection against the Symantec vulnerability almost immediately, and -- unlike other Symantec customers -- have been protected against the flaw for the past month.

TippingPoint says it was was tipped off about the vulnerability by an independent researcher. It affects NetBackup 4.5, 5.0, 5.1 and 6.0, running on all platforms and all versions.

An attacker could potentially remotely exploit a format string overflow vulnerability in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients. The attacker could then execute arbitrary code.

"The problem with this vulnerability is it's not only running on all the desktops, but, even worse, if a malicious hacker gets into the backup server, they have access to all your backup information," said Johannes Ullrich, chief research officer for the SANS Institute.

Under ZDI, 3Com will reward security researchers who inform them about "zero day vulnerabilities". These are vulnerabilities "that are unknown and for which there is no patch," 3Com said.

CNET News.com's Dawn Kawamoto contributed to this report.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • ARE THERE ANY SUCH THIING AS AbOUNTY hUNTER IN THE U.K
    anonymous