US-CERT Technical Cyber Security Alert TA05-224A -- VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 08/13/05

  • Next message: CERT Advisory: "US-CERT Technical Cyber Security Alert TA05-229A -- Apple Mac Products are Affected by Multiple Vulnerabilities"
    Date: Fri, 12 Aug 2005 18:16:35 -0400
    To: cert-advisory@cert.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                         National Cyber Alert System

                   Technical Cyber Security Alert TA05-224A

    VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

       Original release date: August 12, 2005
       Last revised: --
       Source: US-CERT

    Systems Affected

         * VERITAS Backup Exec Remote Agent for Windows Servers

    Overview

       VERITAS Backup Exec Remote Agent for Windows Servers uses
       hard-coded administrative authentication credentials. An attacker
       with knowledge of these credentials and access to the Remote Agent
       could retrieve arbitrary files from a vulnerable system.

    I. Description

       VERITAS Backup Exec Remote Agent for Windows Servers is a data
       backup and recovery solution that supports the Network Data
       Management Protocol (NDMP). NDMP "...is an open standard protocol
       for enterprise-wide backup of heterogeneous network-attached
       storage." By default, the Remote Agent listens for NDMP traffic on
       port 10000/tcp.

       The VERITAS Backup Exec Remote agent uses hard-coded administrative
       authentication credentials. An attacker with knowledge of these
       credentials and access to the Remote Agent may be able to retrieve
       arbitrary files from a vulnerable system. The Remote Agent runs
       with SYSTEM privileges.

       Exploit code, including the credentials, is publicly available.
       US-CERT has also seen reports of increased scanning activity on
       port 10000/tcp. This increase may be caused by attempts to locate
       vulnerable systems.

       US-CERT is tracking this vulnerability as VU#378957.

       Please note that VERITAS has recently merged with Symantec.

    II. Impact

       A remote attacker with knowledge of the credentials and access to
       the Remote Agent may be able to retrieve arbitrary files from a
       vulnerable system.

    III. Solution

    Restrict access

       US-CERT recommends taking the following actions to reduce the chances
       of exploitation:

         * Use firewalls to limit connectivity so that only authorized backup
           server(s) can connect to the Remote Agent. The default port for
           this service is port 10000/tcp.

         * At a minimum, implement some basic protection at the network
           perimeter. When developing rules for network traffic filters,
           realize that individual installations may operate on
           non-standard ports.

         * In addition, changing the Remote Agent's default port from
           10000/tcp may reduce the chances of exploitation. Please refer
           to VERITAS support document 255174 for instructions on how to
           change the default port.

       For more information, please see US-CERT Vulnerability Note VU#378957.

    Appendix A. References

         * US-CERT Vulnerability Note VU#378957 -
           <http://www.kb.cert.org/vuls/id/378957>

         * Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
           File Download Vulnerability -
           <http://securityresponse.symantec.com/avcenter/security/Content/14
           551.html>

         * VERITAS support document 255831 -
           <http://seer.support.veritas.com/docs/255831.htm>

         * VERITAS support document 258334 -
           <http://seer.support.veritas.com/docs/258334.htm>

         * VERITAS support document 255174 -
           <http://seer.support.veritas.com/docs/255174.htm>

         * What is NDMP? - <http://www.ndmp.org/info/faq.shtml#1>

     ____________________________________________________________________

       The most recent version of this document can be found at:

         <http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
     ____________________________________________________________________

       Feedback can be directed to US-CERT Technical Staff. Please send
       email to <cert@cert.org> with "TA05-224A Feedback VU#378957" in the
       subject.
     ____________________________________________________________________

      To unsubscribe:

        <http://www.us-cert.gov/cas/#unsubscribe>
     ____________________________________________________________________

       Produced 2005 by US-CERT, a government organization.

       Terms of use:

         <http://www.us-cert.gov/legal.html>
     ____________________________________________________________________

    Revision History

       Aug 12, 2005: Initial release

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
    zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
    KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
    7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
    V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
    AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
    =cO6/
    -----END PGP SIGNATURE-----


  • Next message: CERT Advisory: "US-CERT Technical Cyber Security Alert TA05-229A -- Apple Mac Products are Affected by Multiple Vulnerabilities"

    Relevant Pages