Alert

VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

Last Revised
Alert Code
TA05-224A

Systems Affected

  • VERITAS Backup Exec for Windows Servers
  • VERITAS Backup Exec Remote Agent for Windows Servers
  • VERITAS Backup Exec Remote Agent for Unix or Linux Servers
  • VERITAS Backup Exec for NetWare Servers
  • VERITAS Backup Exec Remote Agent for NetWare Servers
  • VERITAS NetBackup for NetWare Media Server Option

Please see SYM05-011 for further information.


Overview

VERITAS Backup Exec and NetBackup components use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component could retrieve arbitrary files from a vulnerable system.


Description

VERITAS Backup Exec and NetBackup are network backup and recovery products that support a variety of operating systems. Components of Backup Exec and NetBackup, including Backup Exec Remote Agents, support the Network Data Management Protocol (NDMP). NDMP "...is an open standard protocol for enterprise-wide backup of heterogeneous network-attached storage." By default, Remote Agents listen for NDMP traffic on port 10000/tcp. Other components that do not support NDMP may also listen on 10000/tcp.

VERITAS components including Backup Exec, NetBackup, and Remote Agents use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component may be able to retrieve arbitrary files from a vulnerable system. Most of these components run with elevated privileges. For example, Remote Agents for Windows run with SYSTEM privileges.

Exploit code containing the hard-coded credentials is publicly available. US-CERT has monitored reports of increased scanning activity on port 10000/tcp. This increase may be caused by attempts to locate vulnerable systems.

US-CERT is tracking this vulnerability as VU#378957.

Please note that VERITAS has recently merged with Symantec.


Impact

A remote attacker with knowledge of the hard-coded credentials and access to a Remote Agent or other affected component may be able to retrieve arbitrary files from a vulnerable system.


Solution

Apply Updates

Symantec has provided updates for this vulnerability in SYM05-011.

Restrict Network Access

Consider the following actions to mitigate risks associated with this and other vulnerabilities that require access to port 10000/tcp:

  • Use firewalls to limit connectivity so that only authorized backup servers can connect to Remote Agents or other listening components. The default port for these services is 10000/tcp. Consider blocking access at network perimeters and using host-based firewalls to limit access to authorized servers.
  • Changing the default port from 10000/tcp may reduce the chances of exploitation, particularly by automated attacks. Please refer to VERITAS documentation on how to change the default listening port.

For more information, please see US-CERT Vulnerability Note VU#378957.


Appendix A. References


Feedback can be directed to US-CERT Technical Staff.

Revision History

  • Aug 12, 2005: Initial release

    Aug 15, 2005: Updates available, more accurate list of affected products

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.