VERITAS Backup Exec Uses Hard-Coded Authentication Credentials
- VERITAS Backup Exec for Windows Servers
- VERITAS Backup Exec Remote Agent for Windows Servers
- VERITAS Backup Exec Remote Agent for Unix or Linux Servers
- VERITAS Backup Exec for NetWare Servers
- VERITAS Backup Exec Remote Agent for NetWare Servers
- VERITAS NetBackup for NetWare Media Server Option
VERITAS Backup Exec and NetBackup components use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component could retrieve arbitrary files from a vulnerable system.
VERITAS Backup Exec and NetBackup are network backup and recovery products that support a variety of operating systems. Components of Backup Exec and NetBackup, including Backup Exec Remote Agents, support the Network Data Management Protocol (NDMP). NDMP "...is an open standard protocol for enterprise-wide backup of heterogeneous network-attached storage." By default, Remote Agents listen for NDMP traffic on port 10000/tcp. Other components that do not support NDMP may also listen on 10000/tcp.
VERITAS components including Backup Exec, NetBackup, and Remote Agents use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component may be able to retrieve arbitrary files from a vulnerable system. Most of these components run with elevated privileges. For example, Remote Agents for Windows run with SYSTEM privileges.
Exploit code containing the hard-coded credentials is publicly available. US-CERT has monitored reports of increased scanning activity on port 10000/tcp. This increase may be caused by attempts to locate vulnerable systems.
US-CERT is tracking this vulnerability as VU#378957.
Please note that VERITAS has recently merged with Symantec.
A remote attacker with knowledge of the hard-coded credentials and access to a Remote Agent or other affected component may be able to retrieve arbitrary files from a vulnerable system.
Symantec has provided updates for this vulnerability in SYM05-011.
Restrict Network Access
Consider the following actions to mitigate risks associated with this and other vulnerabilities that require access to port 10000/tcp:
- Use firewalls to limit connectivity so that only authorized backup servers can connect to Remote Agents or other listening components. The default port for these services is 10000/tcp. Consider blocking access at network perimeters and using host-based firewalls to limit access to authorized servers.
- Changing the default port from 10000/tcp may reduce the chances of exploitation, particularly by automated attacks. Please refer to VERITAS documentation on how to change the default listening port.
For more information, please see US-CERT Vulnerability Note VU#378957.
Appendix A. References
- US-CERT Vulnerability Note VU#378957 - http://www.kb.cert.org/vuls/id/378957
- VERITAS Backup Exec for Windows Servers, VERITAS Backup Exec for NetWare Servers, and NetBackup for NetWare Media Server Option Remote Agent Authentication Vulnerability (SYM05-011) - http://securityresponse.symantec.com/avcenter/security/Content/2005.08.12b.html
- VERITAS Backup Exec for Windows Servers Security Advisory: Unauthorized downloading of arbitrary files - http://seer.support.veritas.com/docs/278434.htm
- VERITAS Backup Exec for NetWare Servers Security Advisory: Unauthorized downloading of arbitrary files - http://seer.support.veritas.com/docs/278431.htm
- VERITAS NetBackup (tm) for NetWare Media Servers Security Advisory: Unauthorized downloading of arbitrary files - http://seer.support.veritas.com/docs/278430.htm
- Backup Exec 9.x for Windows Servers has improved support for backups of remote computers. - http://seer.support.veritas.com/docs/255831.htm
- When using VERITAS Backup Exec (tm) 9.0, during a backup/restore job of a remote computer behind a firewall, the error "Unable to attach to one of the drives" may occur. - http://seer.support.veritas.com/docs/258334.htm
- How to change the default port used by the Backup Exec 9.x and 10.x Remote Agent for Windows Servers - http://seer.support.veritas.com/docs/255174.htm
- Backup Exec 9.x and 10.0 fail to install because another application is using port 10000. An Event ID 58116 is found in the system's application log. - http://seer.support.veritas.com/docs/256312.htm
- What is NDMP? - http://www.ndmp.org/info/faq.shtml#1
Feedback can be directed to US-CERT Technical Staff.
Aug 12, 2005: Initial release
Aug 15, 2005: Updates available, more accurate list of affected products