Security Advisories

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: US-CERT Technical Cyber Security Alert TA05-224A -- VERITAS Backup Exec Uses Hard-Coded Authentication Credentials
From: CERT Advisory <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Fri, 12 Aug 2005 18:16:38 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                     National Cyber Alert System

               Technical Cyber Security Alert TA05-224A


VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

   Original release date: August 12, 2005
   Last revised: --
   Source: US-CERT


Systems Affected

     * VERITAS Backup Exec Remote Agent for Windows Servers


Overview

   VERITAS Backup Exec Remote Agent for Windows Servers uses
   hard-coded administrative authentication credentials. An attacker
   with knowledge of these credentials and access to the Remote Agent
   could retrieve arbitrary files from a vulnerable system.


I. Description

   VERITAS Backup Exec Remote Agent for Windows Servers is a data
   backup and recovery solution that supports the Network Data
   Management Protocol (NDMP). NDMP "...is an open standard protocol
   for enterprise-wide backup of heterogeneous network-attached
   storage." By default, the Remote Agent listens for NDMP traffic on
   port 10000/tcp.

   The VERITAS Backup Exec Remote agent uses hard-coded administrative
   authentication credentials. An attacker with knowledge of these
   credentials and access to the Remote Agent may be able to retrieve
   arbitrary files from a vulnerable system. The Remote Agent runs
   with SYSTEM privileges.

   Exploit code, including the credentials, is publicly available.
   US-CERT has also seen reports of increased scanning activity on
   port 10000/tcp. This increase may be caused by attempts to locate
   vulnerable systems.

   US-CERT is tracking this vulnerability as VU#378957.

   Please note that VERITAS has recently merged with Symantec.


II. Impact

   A remote attacker with knowledge of the credentials and access to
   the Remote Agent may be able to retrieve arbitrary files from a
   vulnerable system.


III. Solution

Restrict access

   US-CERT recommends taking the following actions to reduce the chances
   of exploitation:

     * Use firewalls to limit connectivity so that only authorized backup
       server(s) can connect to the Remote Agent. The default port for
       this service is port 10000/tcp.

     * At a minimum, implement some basic protection at the network
       perimeter. When developing rules for network traffic filters,
       realize that individual installations may operate on
       non-standard ports.

     * In addition, changing the Remote Agent's default port from
       10000/tcp may reduce the chances of exploitation. Please refer
       to VERITAS support document 255174 for instructions on how to
       change the default port.

   For more information, please see US-CERT Vulnerability Note VU#378957.


Appendix A. References

     * US-CERT Vulnerability Note VU#378957 -
       <http://www.kb.cert.org/vuls/id/378957>

     * Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
       File Download Vulnerability -
       <http://securityresponse.symantec.com/avcenter/security/Content/14
       551.html>

     * VERITAS support document 255831 -
       <http://seer.support.veritas.com/docs/255831.htm>

     * VERITAS support document 258334 -
       <http://seer.support.veritas.com/docs/258334.htm>

     * VERITAS support document 255174 -
       <http://seer.support.veritas.com/docs/255174.htm>

     * What is NDMP? - <http://www.ndmp.org/info/faq.shtml#1>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <This email address is being protected from spambots. You need JavaScript enabled to view it.> with "TA05-224A Feedback VU#378957" in the
   subject.
 ____________________________________________________________________

  To unsubscribe:

    <http://www.us-cert.gov/cas/#unsubscribe>
 ____________________________________________________________________

   Produced 2005 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Aug 12, 2005: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
=cO6/
-----END PGP SIGNATURE-----

Powered by:

MHonArc