Forum Discussion

Itegral's avatar
Itegral
Level 6
10 years ago

Upgrade operating system for Symantec Appliance 5220

Our Information Security team, as per the annual audit, scanned the hosts for vulnerability and found that the OS on these appliance is very old - scan output message says, "Unsupported Unix Operating System".

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

Question:

We have upgraded the Appliance to version 2.6.1.1, however that does not upgrade the underlying OS.

Is there any technote from Symantec supporting that OS shall remain the same or plans on upgrading the Appliance OS etc. in detail?

 

Thanks All.

 

  • SLES 11 SP1 is not "very old" and is supported in all of the scanning tools I have ever encountered. Their scanning system made a mistake.

    Every upgrade addresses vulnerabilities in the operating system so I cannot imagine it being that far out of date at 2.6.1.1.

    As far as tech note there is not since future upgrades are forward looking. However, I believe the word is that 2.7.1 will move to RHEL of some flavor possibly 7. 

  • SLES 11 SP1 is not "very old" and is supported in all of the scanning tools I have ever encountered. Their scanning system made a mistake.

    Every upgrade addresses vulnerabilities in the operating system so I cannot imagine it being that far out of date at 2.6.1.1.

    As far as tech note there is not since future upgrades are forward looking. However, I believe the word is that 2.7.1 will move to RHEL of some flavor possibly 7. 

  • thank you for your response. I have forwarded your comments to them.

    They have also identified the following;

    "According to the banner, OpenSSH earlier than 4.7 is running on the remote host"

    Such versions contain an authentication bypass vulnerability.  In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead.  This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.

    Appreciate your comments please.

  • Xserver is not enabled on the appliance. I do not even think the binaries are loaded. You cannot go to init 5 on the device. If there is still a concern then I would suggest opening a ticket with Veritas and ask them to address it or find out if it is addressed in 2.6.1.2.

  • Any kind of security concerns must be taken up with Symantec Support directly.

    We can comment from user perspective, but I guess your IS team will need official response.

  • Today's release of 2.6.1.2 might also address some of the identified issues on the Appliance:

     

    https://www-secure.symantec.com/connect/forums/netbackup-appliances-2612-now-available