-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA05-180A archive VERITAS Backup Exec Software is actively being exploited Original release date: June 29, 2005 Last revised: -- Source: US-CERT Systems Affected VERITAS Backup Exec Remote Agent Overview The VERITAS Backup Exec Remote Agent for Windows contains a buffer overflow that may allow an unauthenticated, remote attacker to compromise a system and execute arbitrary code with administrative privileges. I. Description VERITAS Backup Exec is a data backup and recovery solution with support for network-based backups. The VERITAS Backup Exec Remote Agent is installed on systems that are to be backed up. It listens on TCP port 10000 for messages indicating that a backup should occur. The remote agent software fails to properly validate incoming packets, which allows a buffer overflow to occur. Specially crafted authentication messages can be used to trigger the buffer overflow, making it possible for an unauthenticated attacker to exploit this vulnerability. Exploit code for this vulnerability is publicly available. In addition, we have received credible reports that this vulnerability is being actively exploited to execute arbitrary code with Local System privileges. We have also seen increased scanning activity on port 10000/tcp. This increase is believed to be attempts to locate vulnerable systems running the VERITAS Backup Exec Remote Agent. US-CERT is tracking this issue in the following vulnerability note: * VU#492105 - VERITAS Backup Exec Remote Agent fails to properly validate authentication requests. This issue is also identified as VERITAS Security Advisory VX05-002 and CAN-2005-0773. In addition, US-CERT is investigating other, potentially serious vulnerabilities in VERITAS backup software: * VU#352625 - VERITAS Backup Exec Server Service contains a buffer overflow vulnerability. This issue is also identified as VERITAS Security Advisory VX05-006. * VU#584505 - VERITAS Backup Exec remote access validation vulnerability. This issue is also identified as VERITAS Security Advisory VX05-003. II. Impact A remote, unauthenticated attacker may be able to execute arbitrary code with administrative privileges on a vulnerable system. III. Solution Apply a patch VERITAS has issued patches for each vulnerable version of Backup Exec Remote Agent. Information about these patches can be found in the VERITAS Patch summary for Security Advisories VX05-001, VX05-002, VX05-003, VX05-005, VX05-006, VX05-007. Restrict access US-CERT recommends taking the following actions to reduce the chances of exploitation: * Use firewalls to limit connectivity so that only the backup server(s) can connect to the systems being backed up. The standard port for this service is port 10000/tcp. * At a minimum, implement some basic protection at the network perimeter. When developing rules for network traffic filters, realize that individual installations may operate on non-standard ports. Appendix A. References * US-CERT Vulnerability Note VU#492105 - <http://www.kb.cert.org/vuls/id/492105> * US-CERT Vulnerability Note VU#352625 - <http://www.kb.cert.org/vuls/id/352625> * US-CERT Vulnerability Note VU#584505 - <http://www.kb.cert.org/vuls/id/584505> * VERITAS Software Security Advisory VX05-002 - <http://seer.support.veritas.com/docs/276604.htm> * VERITAS Software Security Advisory VX05-006 - <http://seer.support.veritas.com/docs/276607.htm> * VERITAS Software Security Advisory VX05-003 - <http://seer.support.veritas.com/docs/276605.htm> * VERITAS Software Security Announcement - <http://seer.support.veritas.com/docs/277428.htm> * iDefense security advisory - <http://www.idefense.com/application/poi/display?id=272&type=vulne rabilities> _________________________________________________________________ These vulnerabilities were reported by VERITAS Software. VERITAS credits iDefense with supplying information regarding VU#492105 and VU#584505. VERITAS credits NGSSoftware Research Team with supplying information regarding VU#352625. _________________________________________________________________ Feedback can be directed to the authors: US-CERT Technical Staff _________________________________________________________________ Revision History Jun 29, 2005: Initial release _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-180A.html> Produced 2005 by US-CERT, a government organization. Terms of use <http://www.us-cert.gov/legal.html> For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQsLs9BhoSezw4YfQAQLQaAf/X7XHXphDIe1ImdN1f/ap5y4YXTvMVnPk VDed43Bk3HLGEKWP2gPReWGGTEzs3u8CiO4yJO879ksV2lQgJUNgLy5U21ltw4Nh A2uZM90OpeCgirS8jSmhReqrHM89LqhDgbiNMpStJmQO3c2ClBpJ3skbO53/VT7L Uowoz1XHwqMOSsaPVS4gsz+5NTJS2HNkXZuuLRbE3qexigWa6/CPJ9JINtgcQH65 O41V/fcs5gjvaHSB7H8a9gaSPewIwPnEqpFpA6w8hLiZ0erH0Ti1Ggj6mykDAESp +OAyJk/MvAtQq1oXHpca9xaHqCMZd+Yus+/KQOkO5qCRGC+YtT3Kyw== =VMlW -----END PGP SIGNATURE-----