-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-224A
VERITAS Backup Exec Uses Hard-Coded Authentication Credentials
Original release date: August 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* VERITAS Backup Exec Remote Agent for Windows Servers
Overview
VERITAS Backup Exec Remote Agent for Windows Servers uses
hard-coded administrative authentication credentials. An attacker
with knowledge of these credentials and access to the Remote Agent
could retrieve arbitrary files from a vulnerable system.
I. Description
VERITAS Backup Exec Remote Agent for Windows Servers is a data
backup and recovery solution that supports the Network Data
Management Protocol (NDMP). NDMP "...is an open standard protocol
for enterprise-wide backup of heterogeneous network-attached
storage." By default, the Remote Agent listens for NDMP traffic on
port 10000/tcp.
The VERITAS Backup Exec Remote agent uses hard-coded administrative
authentication credentials. An attacker with knowledge of these
credentials and access to the Remote Agent may be able to retrieve
arbitrary files from a vulnerable system. The Remote Agent runs
with SYSTEM privileges.
Exploit code, including the credentials, is publicly available.
US-CERT has also seen reports of increased scanning activity on
port 10000/tcp. This increase may be caused by attempts to locate
vulnerable systems.
US-CERT is tracking this vulnerability as VU#378957.
Please note that VERITAS has recently merged with Symantec.
II. Impact
A remote attacker with knowledge of the credentials and access to
the Remote Agent may be able to retrieve arbitrary files from a
vulnerable system.
III. Solution
Restrict access
US-CERT recommends taking the following actions to reduce the chances
of exploitation:
* Use firewalls to limit connectivity so that only authorized backup
server(s) can connect to the Remote Agent. The default port for
this service is port 10000/tcp.
* At a minimum, implement some basic protection at the network
perimeter. When developing rules for network traffic filters,
realize that individual installations may operate on
non-standard ports.
* In addition, changing the Remote Agent's default port from
10000/tcp may reduce the chances of exploitation. Please refer
to VERITAS support document 255174 for instructions on how to
change the default port.
For more information, please see US-CERT Vulnerability Note VU#378957.
Appendix A. References
* US-CERT Vulnerability Note VU#378957 -
<http://www.kb.cert.org/vuls/id/378957>
* Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
File Download Vulnerability -
<http://securityresponse.symantec.com/avcenter/security/Content/14
551.html>
* VERITAS support document 255831 -
<http://seer.support.veritas.com/docs/255831.htm>
* VERITAS support document 258334 -
<http://seer.support.veritas.com/docs/258334.htm>
* VERITAS support document 255174 -
<http://seer.support.veritas.com/docs/255174.htm>
* What is NDMP? - <http://www.ndmp.org/info/faq.shtml#1>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@xxxxxxxx> with "TA05-224A Feedback VU#378957" in the
subject.
____________________________________________________________________
To unsubscribe:
<http://www.us-cert.gov/cas/#unsubscribe>
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Aug 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
=cO6/
-----END PGP SIGNATURE-----
