National Cyber Alert System
Technical Cyber Security Alert TA05-180A archive
VERITAS Backup Exec Software is actively being exploited
Original release date: June 29, 2005
Last revised: --
Source: US-CERT
Systems Affected
VERITAS Backup Exec Remote Agent
Overview
The VERITAS Backup Exec Remote Agent for Windows contains a buffer
overflow that may allow an unauthenticated, remote attacker to
compromise a system and execute arbitrary code with administrative
privileges.
I. Description
VERITAS Backup Exec is a data backup and recovery solution with
support for network-based backups. The VERITAS Backup Exec Remote
Agent is installed on systems that are to be backed up. It listens on
TCP port 10000 for messages indicating that a backup should occur.
The remote agent software fails to properly validate incoming packets,
which allows a buffer overflow to occur. Specially crafted
authentication messages can be used to trigger the buffer overflow,
making it possible for an unauthenticated attacker to exploit this
vulnerability.
Exploit code for this vulnerability is publicly available. In
addition, we have received credible reports that this vulnerability is
being actively exploited to execute arbitrary code with Local System
privileges. We have also seen increased scanning activity on port
10000/tcp. This increase is believed to be attempts to locate
vulnerable systems running the VERITAS Backup Exec Remote Agent.
US-CERT is tracking this issue in the following vulnerability note:
* VU#492105 - VERITAS Backup Exec Remote Agent fails to properly
validate authentication requests. This issue is also identified
as VERITAS Security Advisory VX05-002 and CAN-2005-0773.
In addition, US-CERT is investigating other, potentially serious
vulnerabilities in VERITAS backup software:
* VU#352625 - VERITAS Backup Exec Server Service contains a buffer
overflow vulnerability. This issue is also identified as VERITAS
Security Advisory VX05-006.
* VU#584505 - VERITAS Backup Exec remote access validation
vulnerability. This issue is also identified as VERITAS
Security Advisory VX05-003.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code with administrative privileges on a vulnerable system.
III. Solution
Apply a patch
VERITAS has issued patches for each vulnerable version of Backup Exec
Remote Agent. Information about these patches can be found in the
VERITAS Patch summary for Security Advisories VX05-001, VX05-002,
VX05-003, VX05-005, VX05-006, VX05-007.
Restrict access
US-CERT recommends taking the following actions to reduce the chances
of exploitation:
* Use firewalls to limit connectivity so that only the backup
server(s) can connect to the systems being backed up. The standard
port for this service is port 10000/tcp.
* At a minimum, implement some basic protection at the network
perimeter. When developing rules for network traffic filters,
realize that individual installations may operate on non-standard
ports.
Appendix A. References
* US-CERT Vulnerability Note VU#492105 -
<
* US-CERT Vulnerability Note VU#352625 -
<
* US-CERT Vulnerability Note VU#584505 -
<
* VERITAS Software Security Advisory VX05-002 -
<
* VERITAS Software Security Advisory VX05-006 -
<
* VERITAS Software Security Advisory VX05-003 -
<
* VERITAS Software Security Announcement -
<
* iDefense security advisory -
< rabilities>
_________________________________________________________________
These vulnerabilities were reported by VERITAS Software. VERITAS
credits iDefense with supplying information regarding VU#492105 and
VU#584505. VERITAS credits NGSSoftware Research Team with supplying
information regarding VU#352625.
_________________________________________________________________
Feedback can be directed to the authors: US-CERT Technical Staff
_________________________________________________________________
Revision History
Jun 29, 2005: Initial release
_________________________________________________________________
This document is available from:
<
Produced 2005 by US-CERT, a government organization.
Terms of use
<
For instructions on subscribing to or unsubscribing from this
mailing list, visit <
Technical Cyber Security Alert TA05-180A archive
VERITAS Backup Exec Software is actively being exploited
Original release date: June 29, 2005
Last revised: --
Source: US-CERT
Systems Affected
VERITAS Backup Exec Remote Agent
Overview
The VERITAS Backup Exec Remote Agent for Windows contains a buffer
overflow that may allow an unauthenticated, remote attacker to
compromise a system and execute arbitrary code with administrative
privileges.
I. Description
VERITAS Backup Exec is a data backup and recovery solution with
support for network-based backups. The VERITAS Backup Exec Remote
Agent is installed on systems that are to be backed up. It listens on
TCP port 10000 for messages indicating that a backup should occur.
The remote agent software fails to properly validate incoming packets,
which allows a buffer overflow to occur. Specially crafted
authentication messages can be used to trigger the buffer overflow,
making it possible for an unauthenticated attacker to exploit this
vulnerability.
Exploit code for this vulnerability is publicly available. In
addition, we have received credible reports that this vulnerability is
being actively exploited to execute arbitrary code with Local System
privileges. We have also seen increased scanning activity on port
10000/tcp. This increase is believed to be attempts to locate
vulnerable systems running the VERITAS Backup Exec Remote Agent.
US-CERT is tracking this issue in the following vulnerability note:
* VU#492105 - VERITAS Backup Exec Remote Agent fails to properly
validate authentication requests. This issue is also identified
as VERITAS Security Advisory VX05-002 and CAN-2005-0773.
In addition, US-CERT is investigating other, potentially serious
vulnerabilities in VERITAS backup software:
* VU#352625 - VERITAS Backup Exec Server Service contains a buffer
overflow vulnerability. This issue is also identified as VERITAS
Security Advisory VX05-006.
* VU#584505 - VERITAS Backup Exec remote access validation
vulnerability. This issue is also identified as VERITAS
Security Advisory VX05-003.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code with administrative privileges on a vulnerable system.
III. Solution
Apply a patch
VERITAS has issued patches for each vulnerable version of Backup Exec
Remote Agent. Information about these patches can be found in the
VERITAS Patch summary for Security Advisories VX05-001, VX05-002,
VX05-003, VX05-005, VX05-006, VX05-007.
Restrict access
US-CERT recommends taking the following actions to reduce the chances
of exploitation:
* Use firewalls to limit connectivity so that only the backup
server(s) can connect to the systems being backed up. The standard
port for this service is port 10000/tcp.
* At a minimum, implement some basic protection at the network
perimeter. When developing rules for network traffic filters,
realize that individual installations may operate on non-standard
ports.
Appendix A. References
* US-CERT Vulnerability Note VU#492105 -
<
* US-CERT Vulnerability Note VU#352625 -
<
* US-CERT Vulnerability Note VU#584505 -
<
* VERITAS Software Security Advisory VX05-002 -
<
* VERITAS Software Security Advisory VX05-006 -
<
* VERITAS Software Security Advisory VX05-003 -
<
* VERITAS Software Security Announcement -
<
* iDefense security advisory -
< rabilities>
_________________________________________________________________
These vulnerabilities were reported by VERITAS Software. VERITAS
credits iDefense with supplying information regarding VU#492105 and
VU#584505. VERITAS credits NGSSoftware Research Team with supplying
information regarding VU#352625.
_________________________________________________________________
Feedback can be directed to the authors: US-CERT Technical Staff
_________________________________________________________________
Revision History
Jun 29, 2005: Initial release
_________________________________________________________________
This document is available from:
<
Produced 2005 by US-CERT, a government organization.
Terms of use
<
For instructions on subscribing to or unsubscribing from this
mailing list, visit <