Lucene search

SecurityvulnsSECURITYVULNS:DOC:9001

HistoryJun 30, 2005 - 12:00 a.m.

US-CERT Technical Cyber Security Alert TA05-180A -- VERITAS Backup Exec Software is actively being exploited

2005-06-3000:00:00

vulners.com

0.966 High

EPSS

Percentile

99.6%

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

         National Cyber Alert System

Technical Cyber Security Alert TA05-180A archive

VERITAS Backup Exec Software is actively being exploited

Original release date: June 29, 2005
Last revised: –
Source: US-CERT

Systems Affected

VERITAS Backup Exec Remote Agent

Overview

The VERITAS Backup Exec Remote Agent for Windows contains a buffer
overflow that may allow an unauthenticated, remote attacker to
compromise a system and execute arbitrary code with administrative
privileges.

I. Description

VERITAS Backup Exec is a data backup and recovery solution with
support for network-based backups. The VERITAS Backup Exec Remote
Agent is installed on systems that are to be backed up. It listens on
TCP port 10000 for messages indicating that a backup should occur.

The remote agent software fails to properly validate incoming packets,
which allows a buffer overflow to occur. Specially crafted
authentication messages can be used to trigger the buffer overflow,
making it possible for an unauthenticated attacker to exploit this
vulnerability.

Exploit code for this vulnerability is publicly available. In
addition, we have received credible reports that this vulnerability is
being actively exploited to execute arbitrary code with Local System
privileges. We have also seen increased scanning activity on port
10000/tcp. This increase is believed to be attempts to locate
vulnerable systems running the VERITAS Backup Exec Remote Agent.

US-CERT is tracking this issue in the following vulnerability note:

 * VU#492105 - VERITAS Backup Exec Remote Agent fails to properly
   validate authentication requests. This issue is also identified 
   as VERITAS Security Advisory VX05-002 and CAN-2005-0773.

In addition, US-CERT is investigating other, potentially serious
vulnerabilities in VERITAS backup software:

 * VU#352625 - VERITAS Backup Exec Server Service contains a buffer
   overflow vulnerability. This issue is also identified as VERITAS 
   Security Advisory VX05-006.

 * VU#584505 - VERITAS Backup Exec remote access validation
   vulnerability. This issue is also identified as VERITAS 
   Security Advisory VX05-003.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary
code with administrative privileges on a vulnerable system.

III. Solution

Apply a patch

VERITAS has issued patches for each vulnerable version of Backup Exec
Remote Agent. Information about these patches can be found in the
VERITAS Patch summary for Security Advisories VX05-001, VX05-002,
VX05-003, VX05-005, VX05-006, VX05-007.

Restrict access

US-CERT recommends taking the following actions to reduce the chances
of exploitation:

 * Use firewalls to limit connectivity so that only the backup
   server&#40;s&#41; can connect to the systems being backed up. The standard
   port for this service is port 10000/tcp.

 * At a minimum, implement some basic protection at the network
   perimeter. When developing rules for network traffic filters,
   realize that individual installations may operate on non-standard
   ports.

Appendix A. References

 * US-CERT Vulnerability Note VU#492105 -
   &lt;http://www.kb.cert.org/vuls/id/492105&gt;

 * US-CERT Vulnerability Note VU#352625 -
   &lt;http://www.kb.cert.org/vuls/id/352625&gt;

 * US-CERT Vulnerability Note VU#584505 -
   &lt;http://www.kb.cert.org/vuls/id/584505&gt;

 * VERITAS Software Security Advisory VX05-002 -
   &lt;http://seer.support.veritas.com/docs/276604.htm&gt;

 * VERITAS Software Security Advisory VX05-006 -
   &lt;http://seer.support.veritas.com/docs/276607.htm&gt;

 * VERITAS Software Security Advisory VX05-003 -
   &lt;http://seer.support.veritas.com/docs/276605.htm&gt;

 * VERITAS Software Security Announcement -
   &lt;http://seer.support.veritas.com/docs/277428.htm&gt;

 * iDefense security advisory -
   &lt;http://www.idefense.com/application/poi/display?id=272&type=vulne
   rabilities&gt;

These vulnerabilities were reported by VERITAS Software. VERITAS
credits iDefense with supplying information regarding VU#492105 and
VU#584505. VERITAS credits NGSSoftware Research Team with supplying
information regarding VU#352625.

Feedback can be directed to the authors: US-CERT Technical Staff

Revision History

Jun 29, 2005: Initial release

This document is available from:

<http://www.us-cert.gov/cas/techalerts/TA05-180A.html>

Produced 2005 by US-CERT, a government organization.

<http://www.us-cert.gov/legal.html>

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQsLs9BhoSezw4YfQAQLQaAf/X7XHXphDIe1ImdN1f/ap5y4YXTvMVnPk
VDed43Bk3HLGEKWP2gPReWGGTEzs3u8CiO4yJO879ksV2lQgJUNgLy5U21ltw4Nh
A2uZM90OpeCgirS8jSmhReqrHM89LqhDgbiNMpStJmQO3c2ClBpJ3skbO53/VT7L
Uowoz1XHwqMOSsaPVS4gsz+5NTJS2HNkXZuuLRbE3qexigWa6/CPJ9JINtgcQH65
O41V/fcs5gjvaHSB7H8a9gaSPewIwPnEqpFpA6w8hLiZ0erH0Ti1Ggj6mykDAESp
+OAyJk/MvAtQq1oXHpca9xaHqCMZd+Yus+/KQOkO5qCRGC+YtT3Kyw==
=VMlW
-----END PGP SIGNATURE-----

0.966 High

EPSS

Percentile

99.6%

JSON

Related for SECURITYVULNS:DOC:9001