VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

• VERITAS Backup Exec for Windows Servers
• VERITAS Backup Exec Remote Agent for Windows Servers
• VERITAS Backup Exec Remote Agent for Unix or Linux Servers
• VERITAS Backup Exec for NetWare Servers
• VERITAS Backup Exec Remote Agent for NetWare Servers
• VERITAS NetBackup for NetWare Media Server Option

Please see SYM05-011 for further information.

VERITAS Backup Exec and NetBackup components use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component could retrieve arbitrary files from a vulnerable system.

VERITAS Backup Exec and NetBackup are network backup and recovery products that support a variety of operating systems. Components of Backup Exec and NetBackup, including Backup Exec Remote Agents, support the Network Data Management Protocol (NDMP). NDMP "...is an open standard protocol for enterprise-wide backup of heterogeneous network-attached storage." By default, Remote Agents listen for NDMP traffic on port 10000/tcp. Other components that do not support NDMP may also listen on 10000/tcp.

VERITAS components including Backup Exec, NetBackup, and Remote Agents use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component may be able to retrieve arbitrary files from a vulnerable system. Most of these components run with elevated privileges. For example, Remote Agents for Windows run with SYSTEM privileges.

Exploit code containing the hard-coded credentials is publicly available. US-CERT has monitored reports of increased scanning activity on port 10000/tcp. This increase may be caused by attempts to locate vulnerable systems.

US-CERT is tracking this vulnerability as VU#378957.

Please note that VERITAS has recently merged with Symantec.

Impact

A remote attacker with knowledge of the hard-coded credentials and access to a Remote Agent or other affected component may be able to retrieve arbitrary files from a vulnerable system.

Solution

Apply Updates

Symantec has provided updates for this vulnerability in SYM05-011.

Restrict Network Access

Consider the following actions to mitigate risks associated with this and other vulnerabilities that require access to port 10000/tcp:

• Use firewalls to limit connectivity so that only authorized backup servers can connect to Remote Agents or other listening components. The default port for these services is 10000/tcp. Consider blocking access at network perimeters and using host-based firewalls to limit access to authorized servers.
• Changing the default port from 10000/tcp may reduce the chances of exploitation, particularly by automated attacks. Please refer to VERITAS documentation on how to change the default listening port.

For more information, please see US-CERT Vulnerability Note VU#378957.

Appendix A. References

• US-CERT Vulnerability Note VU#378957 - http://www.kb.cert.org/vuls/id/378957
• VERITAS Backup Exec for Windows Servers, VERITAS Backup Exec for NetWare Servers, and NetBackup for NetWare Media Server Option Remote Agent Authentication Vulnerability (SYM05-011) - http://securityresponse.symantec.com/avcenter/security/Content/2005.08.12b.html
• VERITAS Backup Exec for Windows Servers Security Advisory: Unauthorized downloading of arbitrary files - http://seer.support.veritas.com/docs/278434.htm
• VERITAS Backup Exec for NetWare Servers Security Advisory: Unauthorized downloading of arbitrary files - http://seer.support.veritas.com/docs/278431.htm
• VERITAS NetBackup (tm) for NetWare Media Servers Security Advisory: Unauthorized downloading of arbitrary files - http://seer.support.veritas.com/docs/278430.htm
• Backup Exec 9.x for Windows Servers has improved support for backups of remote computers. - http://seer.support.veritas.com/docs/255831.htm
• When using VERITAS Backup Exec (tm) 9.0, during a backup/restore job of a remote computer behind a firewall, the error "Unable to attach to one of the drives" may occur. - http://seer.support.veritas.com/docs/258334.htm
• How to change the default port used by the Backup Exec 9.x and 10.x Remote Agent for Windows Servers - http://seer.support.veritas.com/docs/255174.htm
• Backup Exec 9.x and 10.0 fail to install because another application is using port 10000. An Event ID 58116 is found in the system's application log. - http://seer.support.veritas.com/docs/256312.htm
• What is NDMP? - http://www.ndmp.org/info/faq.shtml#1

Feedback can be directed to US-CERT Technical Staff.

Revision History

• Aug 12, 2005: Initial release
  
  Aug 15, 2005: Updates available, more accurate list of affected products
  

  Last updated