|
There is yet another vulnerability in the BackupExec remote
agent utility. This is the same agent that raised concern a little over a
month ago (the one that listens on tcp/10000). A zero day exploit has just
been released which allows one to remotely download any file from a machine
running the BackupExec agent. Currently, this port is still blocked at the border from the last round, and is slated to be removed very shortly. We will keep the border router block active for a while longer, but one can no longer offer this service to the Internet in any fashion (similar to the MSSQL Critical Vulnerability). Any machines found offering BackupExec services to the Internet will be blocked from network access until mitigated. In addition, it is strongly suggested to limit exposure of BackupExec clients to only the BackupExec server, and deny any other unsolicited onsite access to the BackupExec services. To mitigate the exposure of BackupExec to the Internet and general on-site access, make use of local host based access controls or personal firewalls such as:
This vulnerability is due to a hard-coded root password in the NDMP agent. I have verified this exploit works against various machines on-site (I was able to download an arbitrary file). As of this writing (August 11, 2005), there is no patch released from Veritas, so I would keep bugging their support people to find out when one is available. Since the issue is due to the hard-coded password, expect this to be a big patch for both the agents and the servers since it requires this for connectivity. The other solution is to completely disable the BackupExec agent, which will result in the accelerator agent becoming disabled. |
|
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006. (Address comments about page to the Computer Security Team.) |