Recently gotten security advisory, CVE-2015-6550/51/52.
One of the recommendation is to hide NBU listening ports to external network.
Question is do we apply on clients or both server and client?
Master/Media server: Ver 188.8.131.52
Some clients: Ver 184.108.40.206
Some clients: Ver 6.x (this is why we want to hide the listening ports..)
Thanks in advance.
By the way.. our backup is running on a separate lan. We have backup lan which is not able to communicate to external network.
So can i say, that given this statement... we dont have to hide listening ports to external lan? please please enlighten me. Thanks.
The official patch has to be installed on both server and client side - see the faq for the EEB.
Use e.g windows firewall to disallow any traffic than to/from Netbackup master and media servers. On Linux use ipchains or similar
Even if the client has a backup network, bpcd will still listen for traffic from the production network and be a target for malicious traffic. So no - you are not secure.
Hi Nicolai, thanks for your reply.
We can apply hotfixes to master/media and clients servers with nbu 7.6.x.x version.
For clients with ver 6.x, please advise how we can hide nbu listening ports, is it done on network, or client firewall setting?
Lot of firewalls, either network or local software firewalls.
But do remember to mention management that NBU 6.5 is now insecure by default and all systems running 6.5 should be either upgraded or decommissioned.