Protection against Multiple Vulnerabilities in VERITAS Backup Exec Server

Attack ID:	CPAI-2005-109

Publish Date:

Category:	Remote Code Execution

Vulnerable Systems:	VERITAS Software BackUp Exec 9.0 VERITAS Software BackUp Exec 9.1 VERITAS Software BackUp Exec 10.0

Source:	iDEFENSE Security Advisory 06.23.05 iDEFENSE Security Advisory 06.23.05

Description:	VERITAS Backup Exec is a backup and restore solution for Microsoft Windows server environments. VERITAS Backup Exec for Windows is affected by several vulnerabilities that may allow an unauthenticated remote attacker to modify the target system's Windows Registry for Windows-based systems, cause the system to crash execute arbitrary code on the target system.

Severity:

Details:	Veritas is affected by the following vulnerabilities: The Backup Exec Server service registers an RPC interface on a TCP endpoint. An access control error in an RPC endpoint can be exploited to gain Administrator privileges over a vulnerable system's registry by connecting to the endpoint. The VERITAS Backup Exec Agent listens on TCP port 10000 and is responsible for accepting connections from the backup server when a backup should occur, using the NDMP protocol. A vulnerability exists because of improper handling of request packets with an invalid "Error Status" value. Any Error Status other than "0" will cause a null pointer dereference. This can be exploited to crash the application via a request packet containing an invalid "Error Status" value. The NDMP protocol allows multiple authentication types, including support for Windows user credentials.A vulnerability exists because of insufficient input validation on CONNECT_CLIENT_AUTH requests. CONNECT_CLIENT_AUTH requests sent with an authentication method type "3," indicating Windows user credentials, and an overly long password argument can overflow the buffer and lead to arbitrary code execution.

Attack Detection:	Users of VPN-1 NG with Application Intelligence R55W, users of VPN-1 NGX R60 and users of InterSpect can identify the attacks by the following log entries: Attack Name: Backup Exec Protection Violation Attack Information: Unauthorized remote registration attempt Backup Exec Agent DoS attempt Backup Exec Connect_Client_Auth buffer overflow attempt Users of VPN-1 NG with Application Intelligence R55 will receive rules 96106, 910000 and 910001 respectively on the SmartView Tracker screen.

Solution:	Users of VPN-1 NG with Application Intelligence R55 and R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window. The Update includes several protections: Protection against the Remote registration vulnerability: By enabling this protection, SmartDefense will block any attempt of unauthorized remote registry access to a host with Backup Exec installed. Protections against Backup Exec Agent: The Block Backup Agent DoS protection will block specially crafted packets that lead to a Denial of service (DoS) condition. By enabling the CONNECT_CLIENT_AUTH protection, SmartDefense will verify the validity of the authentication requests exchanged between the Backup Exec server and its agents. To enable the protections: 1. On the SmartDefense navigation tree. click Application Intelligence > Veritas Backup Exec Protections. Note that for the Backup Exec Agent Protections to be enabled, at least one of the options below should be checked: 2. Install security policy on all modules.

Industry Reference:	CAN-2005-0771 CAN-2005-0772 CAN-2005-0773

Additional Information:	The Update also includes protection against several applications including two adware applications Mirar Toolbar and Windupdate, the Browser Plugin ExactSearch and the spyware Webhancer.