__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Veritas Backup Exec Buffer Overflow Vulnerability [Veritas Document ID: 273419] December 16, 2004 18:00 GMT Number P-066 [REVISED 22 Dec 2004] ______________________________________________________________________________ PROBLEM: A buffer overflow vulnerability exists in the Veritas Backup Exec service processes. SOFTWARE: Veritas Backup Exec v8.x and v9.x DAMAGE: A remote attacker could execute arbitrary code. SOLUTION: Apply Veritas' hotfixes. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The vulnerability could allow a remote ASSESSMENT: attacker to gain domain administrative account access. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-066.shtml ORIGINAL BULLETIN: http://seer.support.veritas.com/docs/273419.htm ______________________________________________________________________________ REVISION HISTORY: 12/22/2004 - updated Veritas Document ID: 273419. It replaces the hotfix for Backup Exec 8.6 and provides additional Related Documents. [***** Start Veritas Document ID: 273419 *****] Document ID: 273419 http://support.veritas.com/docs/273419 E-Mail this document to a colleague Remote exploitation of a stack-based buffer overflow vulnerability in Backup Exec 8.x and 9.x may allow the unauthorized execution of arbitrary code. -------------------------------------------------------------------------------- Details: The vulnerability specifically exists within the function responsible for receiving and parsing registration requests. The issue allows a remote attacker to execute arbitrary code under the privileges of one of the VERITAS Backup Exec (tm) service processes, which is usually a domain administrative account. A hotfix is available for the following versions of Backup Exec: Backup Exec 8.6 installations should have the following hotfix applied: Be86hf68_273850.exe 8.60.3878 Hotfix 68 - Backup Exec (Buffer overflow creates a security hole in Agent Browser) http://support.veritas.com/docs/273850 Note: Backup Exec 8.x installations should be upgraded to Backup Exec 8.6 Build 3878 prior to the installation of the hotfix. Backup Exec 9.1 installations should have the following hotfix applied: Be4691RHF40_273420.exe 9.1.4691 Hotfix 40 - Backup Exec (buffer overflow creates a security hole in agent browser) http://support.veritas.com/docs/273420 Note: Backup Exec 9.0 and 9.1 installations should be upgraded to Backup Exec 9.1 Build 4691 Service Pack 1 prior to the installation of the hotfix. Workaround for all Backup Exec versions: To avoid this issue in any version of Backup Exec, a firewall can be used to restrict incoming connections to trusted workstations running Backup Exec software. Note: VERITAS Technical Services recommends that Backup Exec installations are always kept at the latest version, build, and hotfix level available. It is also recommended that a full backup is performed prior to and after any changes are made to a software environment. If you have any questions or concerns about this issue, please contact VERITAS Technical Services. VERITAS Software has acknowledged that the above-mentioned issue may be present in earlier versions of the product which are no longer supported. There are no plans to address this issue by way of a patch or hotfix in any end-of-life versions of the product at the present time. The issue has been addressed in all supported versions of the product specified at the end of this article. If you have an unsupported version of the product, you will have to move to a supported version of the product to apply the patch or implement the workaround mentioned above. Related Documents: 241035: VERITAS Backup Exec (tm) 8.6 for Windows NT build 3878 (Intel) (English) http://support.veritas.com/docs/241035 264658: Q118478.BEWS.91.4691.1_264658.zip VERITAS Backup Exec (tm) 9.1 for Windows Servers revision 4691.1 (Single .ZIP download) http://support.veritas.com/docs/264658 267180: Be4691RSP1_267180.exe VERITAS Backup Exec (tm) 9.1 for Windows Servers revision 4691 - Service Pack 1 http://support.veritas.com/docs/267180 273420: Be4691RHF40_273420.exe 9.1.4691 Hotfix 40 - Backup Exec (Buffer overflow creates a security hole in Agent Browser; Licensed Storage Central becomes Eval when Backup Exec 9.1 is uninstalled) *Requires Backup Exec 9.1.4691 Service Pack 1 http://support.veritas.com/docs/273420 273850: Be86hf68_273850.exe 8.60.3878 Hotfix 68 - Backup Exec (Buffer overflow creates a security hole in Agent Browser) http://support.veritas.com/docs/273850 Supplemental Material: System: Ref.# Description ETrack: 275793 BEWS: Buffer overflow creates a security hole in Agent Browser (BEWS 8.6) ETrack: 275738 BEWS: Buffer overflow creates a security hole in Agent Browser (BEWS 9.1) -------------------------------------------------------------------------------- Products Applied: Backup Exec for Windows Servers 8.0, 8.5, 8.6, 9.0, 9.1 Last Updated: December 17 2004 09:35 PM GMT Expires on: 12-15-2005 Subscribe to this document Subjects: Backup Exec for Windows Servers Application: Alert, Troubleshooting Publishing Status: Techalert Languages: English (US) Operating Systems: Windows 2000 Advanced Server, Advanced Server Windows Powered, Datacenter Server, Professional, SAK, Server, Server Windows Powered Windows NT 4.0 Server SP6a, 4.0 Workstation SP6a Windows NT Small Business Server 2000, 4.5 Windows XP Home 5.1, Pro 5.1 Windows Server 2003 DataCenter, Enterprise Server, Standard Server, Storage Server, Web Server Windows Small Business Server 2003 Premium Edition, Standard Edition VERITAS Software 350 Ellis Street Mountain View, California 94043 World Wide Web: http://www.veritas.com, Tech Support Web: http://support.veritas.com, E-Mail Support: http://seer.support.veritas.com/email_forms, FTP: ftp://ftp.support.veritas.com or http://ftp.support.veritas.com THE INFORMATION PROVIDED IN THE VERITAS SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. VERITAS SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL VERITAS SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF VERITAS SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. [***** End Veritas Document ID: 273419 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Veritas Software for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-056: Microsoft HyperTerminal Vulnerability P-057: Microsoft Windows Kernel and LSASS Vulnerabilities P-058: Sun Java System Web and Application Server Security Vulnerability P-059: Sendmail(1) Security Vulnerability P-060: Cisco Unity with Exchange Default Passwords Vulnerability P-061: Ethereal Multiple Vulnerabilities P-062: Updated ncompress Package Fix Security Issue and Bug P-063: Adobe Reader Security Vulnerabilities P-064: Adobe Reader 5.0.9 for UNIX "mailListIsPdf" function Vulnerability P-065: Cisco Default Administrative Password in Cisco Guard and Traffic Anomaly Detector