The Department of Homeland Security’s (DHS) US-CERT (Computer Emergency
Readiness Team) issued an alert stating that
Veritas Backup Exec Software is being actively exploited. The Technical Cyber Security Alert comes a week after the first public disclosure of the Veritas
The active exploitation of Veritas’ Backup Exec software is the result
of a buffer overflow condition that could potentially allow a malicious
remote user to execute arbitrary code.
The buffer overflow is triggered by
a flaw in how the remote agent software validates incoming packets. Veritas
Backup Exec software is a network enabled recovery and backup solution that
listens on TCP port 10000 for incoming connections. Veritas software is
shipped by a number of vendors, including NEC and Hitachi.
Security research firm iDefense first discovered the flaw in March
and issued a joint public disclosure with Veritas on June 22. According to
the iDefense advisory the exploitation does not require authentication and can occur, “fairly reliably since the overflow is able to control code execution via the structured exception handler.”
According to Michael Sutton, director of iDefense Labs, a public exploit
came out for this vulnerability last Friday.
“Over the weekend we noticed increased port scanning on port 10000 so
it’s safe to assume that the two are related,” Sutton told internetnews.com. “This vulnerability was relatively easy to exploit so it’s not surprising that a public exploit emerged following the coordinated public disclosure.”
US-CERT confirmed an increased scanning activity on port 10000/tcp and that
exploit code is publicly available.
“This increase is believed to be attempts to locate vulnerable systems
running the Veritas Backup Exec Remote Agent,” the alert states.
Veritas issued a hotfix patch at the time of the joint public disclosure of the vulnerability by iDefense and Veritas. Veritas claimed in its advisory that it was “unaware of any adverse customer impact from this issue”. Users were strongly recommended to update their software with the hotfix.
“The patch does fix the vulnerability,” Sutton said. “We were able to
work with the vendor ahead of time and assist in testing the patch.”
US-CERT and iDefense have also recommended that users implement
some form of firewall network perimeter protection to restrict incoming
connections to only trusted workstations.