04-28-2016 07:52 PM
Hi,
Recently gotten security advisory, CVE-2015-6550/51/52.
One of the recommendation is to hide NBU listening ports to external network.
Question is do we apply on clients or both server and client?
Please advise.
Master/Media server: Ver 7.6.0.4
Some clients: Ver 7.6.0.4
Some clients: Ver 6.x (this is why we want to hide the listening ports..)
Thanks in advance.
04-29-2016 01:07 AM
By the way.. our backup is running on a separate lan. We have backup lan which is not able to communicate to external network.
So can i say, that given this statement... we dont have to hide listening ports to external lan? please please enlighten me. Thanks.
04-29-2016 04:42 AM
The official patch has to be installed on both server and client side - see the faq for the EEB.
https://www.veritas.com/support/en_US/article.000108248
Use e.g windows firewall to disallow any traffic than to/from Netbackup master and media servers. On Linux use ipchains or similar
Even if the client has a backup network, bpcd will still listen for traffic from the production network and be a target for malicious traffic. So no - you are not secure.
05-02-2016 07:03 PM
Hi Nicolai, thanks for your reply.
We can apply hotfixes to master/media and clients servers with nbu 7.6.x.x version.
For clients with ver 6.x, please advise how we can hide nbu listening ports, is it done on network, or client firewall setting?
05-03-2016 12:34 AM
Lot of firewalls, either network or local software firewalls.
But do remember to mention management that NBU 6.5 is now insecure by default and all systems running 6.5 should be either upgraded or decommissioned.