Two new vulnerabilites have been reported in Symantec’s Veritas Storage Foundation product. Both are primarily Denial of Sevice issues, but one may lead to the execution of arbitrary code. This more serious issue is caused by input validation issues in the Administrator Service and can be exploited by sending a specially crafted packet to one of the products default ports, 3207/UDP. This vulnerability affects version 5.0 on both Windows and Unix/Linux systems. The lesser vulnerability is also caused by an input validation issue, this time in the Veritas Scheduler service. It can be exploited by sending a specially crafted packet to the default port 4888/TCP.
The original Symantec advisories are available at:
SYM08-005: http://www.symantec.com/avcenter/security/Content/2008.02.20a.html
and
SYM08-004:
http://www.symantec.com/avcenter/security/Content/2008.02.20.html