VERITAS Backup Exec Software is actively being exploited
VERITAS Backup Exec Remote Agent
The VERITAS Backup Exec Remote Agent for Windows contains a buffer overflow that may allow an unauthenticated, remote attacker to compromise a system and execute arbitrary code with administrative privileges.
VERITAS Backup Exec is a data backup and recovery solution with support for network-based backups. The VERITAS Backup Exec Remote Agent is installed on systems that are to be backed up. It listens on TCP port 10000 for messages indicating that a backup should occur.
The remote agent software fails to properly validate incoming packets, which allows a buffer overflow to occur. Specially crafted authentication messages can be used to trigger the buffer overflow, making it possible for an unauthenticated attacker to exploit this vulnerability.
Exploit code for this vulnerability is publicly available. In addition, we have received credible reports that this vulnerability is being actively exploited to execute arbitrary code with Local System privileges. We have also seen increased scanning activity on port 10000/tcp. This increase is believed to be attempts to locate vulnerable systems running the VERITAS Backup Exec Remote Agent.
US-CERT is tracking this issue in the following vulnerability note:
VU#492105 - VERITAS Backup Exec Remote Agent fails to properly validate authentication requests
In addition, US-CERT is investigating other, potentially serious vulnerabilities in VERITAS backup software:
VU#352625 - VERITAS Backup Exec Server Service contains a buffer overflow vulnerability
This issue is also identified as VERITAS Security Advisory VX05-006.
VU#584505 - VERITAS Backup Exec remote access validation vulnerability
This issue is also identified as VERITAS Security Advisory VX05-003.
A remote, unauthenticated attacker may be able to execute arbitrary code with administrative privileges on a vulnerable system.
Apply a patch
VERITAS has issued patches for each vulnerable version of Backup Exec Remote Agent. Information about these patches can be found in the VERITAS Patch summary for Security Advisories VX05-001, VX05-002, VX05-003, VX05-005, VX05-006, VX05-007.
US-CERT recommends taking the following actions to reduce the chances of exploitation:
- Use firewalls to limit connectivity so that only the backup server(s) can connect to the systems being backed up. The standard port for this service is port 10000/tcp.
- At a minimum, implement some basic protection at the network perimeter. When developing rules for network traffic filters, realize that individual installations may operate on non-standard ports.
Appendix A. References
- US-CERT Vulnerability Note VU#492105 - http://www.kb.cert.org/vuls/id/492105
- US-CERT Vulnerability Note VU#352625 - http://www.kb.cert.org/vuls/id/352625
- US-CERT Vulnerability Note VU#584505 - http://www.kb.cert.org/vuls/id/584505
- VERITAS Software Security Advisory VX05-002 - http://seer.support.veritas.com/docs/276604.htm
- VERITAS Software Security Advisory VX05-006 - http://seer.support.veritas.com/docs/276607.htm
- VERITAS Software Security Advisory VX05-003 - http://seer.support.veritas.com/docs/276605.htm
- VERITAS Software Security Announcement - http://seer.support.veritas.com/docs/277428.htm
- iDefense security advisory - http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities
These vulnerabilities were reported by VERITAS Software. VERITAS credits iDefense with supplying information regarding VU#492105 and VU#584505. VERITAS credits NGSSoftware Research Team with supplying information regarding VU#352625.
Feedback can be directed to the authors: US-CERT Technical Staff
Jun 29, 2005: Initial release