Symantec Backup Exec System Recovery Manager - Directory Traversal Vulnerability

Details:
Symantec Security Advisory

SYM08-013
May 28, 2008

Symantec Backup Exec System Recovery Manager - Directory Traversal Vulnerability

Revision History
None

Severity
Medium

Remote Access	Yes
Local Access	No
Authentication Required	No
Exploit Publicly Available	No

Overview
Symantec's Backup Exec System Recovery Manager is susceptible to a directory traversal vulnerability that could result in potential elevation of privilege.

Affected Products	Version	Solution
Backup Exec System Recovery Manager	7.x	7.0.4
Backup Exec System Recovery Manager	8.x	8.0.2

Details
Tenable Security reported a directory traversal vulnerability in Symantec Backup Exec System Recovery. Successfully exploitation could potentially allow an authorized network user to be able to read privileged system files and potentially gain unauthorized access on the targeted system.
Symantec Response
Symantec has verified this issue and has released an update for all affected versions of Symantec Backup Exec System Recovery Manager. The update can be downloaded from https://fileconnect.symantec.com .

The update should be installed over your current version of Backup Exec System Recovery Manager.

Symantec currently knows of no exploit of or adverse customer impact from these issues.
.
Mitigation
Symantec has released IPS signatures for Norton firewall products, to detect and block attempts to exploit the directory traversal vulnerability.

Best Practices
As part of normal best practices, Symantec strongly recommends:

Restrict access to administration or management systems to privileged users.
Restrict remote access, if required, to trusted/authorized systems only.
Run under the principle of least privilege where possible to limit the impact of exploit by threats.
Keep all operating systems and applications updated with the latest vendor patches.
Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

References:
SecurityFocus, http://www.securityfocus.com , has assigned a Bugtraq ID (BID) to this issue for inclusion in the SecurityFocus vulnerability data base. The BID assigned is 29350 which can be found at http://www.securityfocus.com/bid/29350 .

Credit:
Symantec would like to thank Nicolas Pouvesle with the Tenable Security http://tenablesecurity.com for reporting this issue.

Products Applied:
Backup Exec System Recovery Manager Option 7.0, 8.0
Backup Exec System Recovery Server Edition 7.0, 7.0 7.04, 8.0, 8.0 .02

Last Updated: May 30 2008 02:52 PM GMT
Expires on: 05-25-2018

Subscribe to receive critical updates about this document

Subjects:
Backup Exec System Recovery Manager Option
   Install / Uninstall: Install/Uninstall
Backup Exec System Recovery Server Edition
   Application: Configuration
   Publishing Status: Techalert

Languages:
English (US)

Operating Systems:
Windows 2000

Advanced Server, Advanced Server SP1, Advanced Server SP2, Advanced Server SP3, Advanced Server SP4, Advanced Server Windows Powered, Advanced Server Windows Powered SP1, Advanced Server Windows Powered SP2, Advanced Server Windows Powered SP3, Advanced Server Windows Powered SP4, Datacenter Server, Datacenter Server SP1, Datacenter Server SP2, Datacenter Server SP3, Datacenter Server SP4, Professional, Professional SP1, Professional SP2, Professional SP3, Professional SP4, SAK, Server, Server SP1, Server SP2, Server SP3, Server SP4, Server Windows Powered, Server Windows Powered SP1, Server Windows Powered SP2, Server Windows Powered SP3, Server Windows Powered SP4

Windows XP

5.2, Pro 5.1, Pro 5.1 64 bit SP1, Pro 5.1 64 bit SP2, Pro 5.1 64 bit SP3, Pro 5.1 64-bit, Pro 5.1 SP1, Pro 5.1 SP2, Pro 5.1 SP3

Windows Server 2003

DataCenter, DataCenter (IA64), DataCenter (x64), DataCenter SP1, DataCenter SP1(IA64), DataCenter SP1(x64), DataCenter SP2, Datacenter SP2(x64), Enterprise (IA64), Enterprise (x64), Enterprise SP1(IA64), Enterprise SP1(x64), Enterprise SP2, Enterprise SP2(x64), Enterprise Server, Enterprise ServerSP1, R2, Standard Server, Standard Server SP1, Standard Server SP1 (x64), Standard Server SP2, Standard Server SP2 (x64), Standard Server(x64), Storage Server, Storage Server SP1, Storage Server SP2, Web Server, Web Server SP1, Web Server SP2

Windows Small Business Server 2003

Premium Edition, Premium Edition R2, Premium Edition SP1, Standard Edition, Standard Edition R2, Standard Edition SP1, Standard Edition SP2

Windows Vista

Business (x64) 6.0.6000, Business (x86) 6.0.6000, Business RC2, Enterprise 6.0.6000, Enterprise RC2, RC2, Starter (x86) 6.0.6000, Ultimate (x64) 6.0.6000, Ultimate (x86) 6.0.6000, Ultimate RC2

Symantec World Headquarters:
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com

THE INFORMATION PROVIDED IN THE SYMANTEC SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYMANTEC SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SYMANTEC SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF SYMANTEC SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.