-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             National Cyber Alert System

   Technical Cyber Security Alert TA05-180A archive 



VERITAS Backup Exec Software is actively being exploited

   Original release date: June 29, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

   VERITAS Backup Exec Remote Agent

Overview

   The VERITAS Backup Exec Remote Agent for Windows contains a buffer
   overflow that may allow an unauthenticated, remote attacker to
   compromise a system and execute arbitrary code with administrative
   privileges.

I. Description

   VERITAS Backup Exec is a data backup and recovery solution with
   support for network-based backups. The VERITAS Backup Exec Remote
   Agent is installed on systems that are to be backed up. It listens on
   TCP port 10000 for messages indicating that a backup should occur.

   The remote agent software fails to properly validate incoming packets,
   which allows a buffer overflow to occur. Specially crafted
   authentication messages can be used to trigger the buffer overflow,
   making it possible for an unauthenticated attacker to exploit this
   vulnerability.

   Exploit code for this vulnerability is publicly available. In
   addition, we have received credible reports that this vulnerability is
   being actively exploited to execute arbitrary code with Local System
   privileges. We have also seen increased scanning activity on port
   10000/tcp. This increase is believed to be attempts to locate
   vulnerable systems running the VERITAS Backup Exec Remote Agent.

   US-CERT is tracking this issue in the following vulnerability note:

     * VU#492105 - VERITAS Backup Exec Remote Agent fails to properly
       validate authentication requests. This issue is also identified 
       as VERITAS Security Advisory VX05-002 and CAN-2005-0773.

   In addition, US-CERT is investigating other, potentially serious
   vulnerabilities in VERITAS backup software:

     * VU#352625 - VERITAS Backup Exec Server Service contains a buffer
       overflow vulnerability. This issue is also identified as VERITAS 
       Security Advisory VX05-006.

     * VU#584505 - VERITAS Backup Exec remote access validation
       vulnerability. This issue is also identified as VERITAS 
       Security Advisory VX05-003.

II. Impact

   A remote, unauthenticated attacker may be able to execute arbitrary
   code with administrative privileges on a vulnerable system.

III. Solution

Apply a patch

   VERITAS has issued patches for each vulnerable version of Backup Exec
   Remote Agent. Information about these patches can be found in the
   VERITAS Patch summary for Security Advisories VX05-001, VX05-002,
   VX05-003, VX05-005, VX05-006, VX05-007.

Restrict access

   US-CERT recommends taking the following actions to reduce the chances
   of exploitation:

     * Use firewalls to limit connectivity so that only the backup
       server(s) can connect to the systems being backed up. The standard
       port for this service is port 10000/tcp.

     * At a minimum, implement some basic protection at the network
       perimeter. When developing rules for network traffic filters,
       realize that individual installations may operate on non-standard
       ports.

Appendix A. References

     * US-CERT Vulnerability Note VU#492105 -
       <http://www.kb.cert.org/vuls/id/492105>

     * US-CERT Vulnerability Note VU#352625 -
       <http://www.kb.cert.org/vuls/id/352625>

     * US-CERT Vulnerability Note VU#584505 -
       <http://www.kb.cert.org/vuls/id/584505>

     * VERITAS Software Security Advisory VX05-002 -
       <http://seer.support.veritas.com/docs/276604.htm>

     * VERITAS Software Security Advisory VX05-006 -
       <http://seer.support.veritas.com/docs/276607.htm>

     * VERITAS Software Security Advisory VX05-003 -
       <http://seer.support.veritas.com/docs/276605.htm>

     * VERITAS Software Security Announcement -
       <http://seer.support.veritas.com/docs/277428.htm>

     * iDefense security advisory -
       <http://www.idefense.com/application/poi/display?id=272&type=vulne
       rabilities>
   _________________________________________________________________

   These vulnerabilities were reported by VERITAS Software. VERITAS
   credits iDefense with supplying information regarding VU#492105 and
   VU#584505. VERITAS credits NGSSoftware Research Team with supplying
   information regarding VU#352625.
   _________________________________________________________________

   Feedback can be directed to the authors: US-CERT Technical Staff
   _________________________________________________________________

   Revision History

   Jun 29, 2005: Initial release
   _________________________________________________________________

   This document is available from:
  
   <http://www.us-cert.gov/cas/techalerts/TA05-180A.html>

   Produced 2005 by US-CERT, a government organization. 

   Terms of use

   <http://www.us-cert.gov/legal.html>


   For instructions on subscribing to or unsubscribing from this 
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQsLs9BhoSezw4YfQAQLQaAf/X7XHXphDIe1ImdN1f/ap5y4YXTvMVnPk
VDed43Bk3HLGEKWP2gPReWGGTEzs3u8CiO4yJO879ksV2lQgJUNgLy5U21ltw4Nh
A2uZM90OpeCgirS8jSmhReqrHM89LqhDgbiNMpStJmQO3c2ClBpJ3skbO53/VT7L
Uowoz1XHwqMOSsaPVS4gsz+5NTJS2HNkXZuuLRbE3qexigWa6/CPJ9JINtgcQH65
O41V/fcs5gjvaHSB7H8a9gaSPewIwPnEqpFpA6w8hLiZ0erH0Ti1Ggj6mykDAESp
+OAyJk/MvAtQq1oXHpca9xaHqCMZd+Yus+/KQOkO5qCRGC+YtT3Kyw==
=VMlW
-----END PGP SIGNATURE-----