Symantec Security Advisory SYM08-021 - Backup Exec 11d, 12.0 and 12.5 for Windows Servers

Details:

SYM08-021

18 November, 2008

Symantec Backup Exec Authentication Bypass and Potential Buffer Overflow

Revision History
None

Severity
High


Remote access	Yes
Local access	No
Authentication required	No
Exploit publicly available	No

Overview
Vulnerabilities were found in the authentication methods for logging onto a Backup Exec Remote Agent for Windows, Linux/Unix, Macintosh and Remote Media Agent for Linux Servers, that could allow an unprivileged user to gain unauthorized access to the application. Once authenticated, the user could further leverage a potential buffer overflow in the data management protocol in an attempt to crash or possibly further compromise the targeted system.

Products Affected


Backup Exec for Windows Servers	12.5	12.5.2213
Backup Exec for Windows Servers	12.0	12.0.1364
Backup Exec for Windows Servers	11d	11.0.7170
Backup Exec for Windows Servers	11d	11.0.6235

Note: ONLY the product versions and builds listed above as affected are vulnerable to these issues. This impacts the remote agents present on both Media servers and Remote backup hosts.

Details
Tenable Network Security worked with Symantec to identify multiple vulnerability issues in authentication as well as a buffer overflow potential once authenticated on affected Symantec Backup Exec remote agents. An unprivileged but authorized network user could potentially bypass the authentication during the logon process with the Backup Exec remote agents. Access could allow the unauthorized user to retrieve or delete files from the targeted host. Once authenticated, a potential buffer overflow is present in the data management protocol that could allow the unauthorized user to crash or possibly further compromise the targeted system.

Symantec Response
Symantec product engineers have developed and released solutions for this issue through
Symantec's LiveUpdate capability and support channels as indicated.
Symantec recommends all customers apply all updates to protect against threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from these issues.
The patches listed for affected products are available from the following location:

For Backup Exec:
Backup Exec 12.5 revision 2213: http://support.veritas.com/docs/324918
Backup Exec 12.0 revision 1364: http://support.veritas.com/docs/314497
Backup Exec 11d revision 7170: http://support.veritas.com/docs/314512
Backup Exec 11d revision 6235: http://support.veritas.com/docs/314515

Mitigation
Symantec has released an IPS signature to detect and block attempts to exploit the buffer overflow (BID 32346).

Best Practices

As part of normal best practices, Symantec strongly recommends a multi-layered approach to security
Run under the principle of least privilege where possible.
Keep all operating systems and applications updated with the latest vendor patches.
Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
Users should be cautious of mysterious attachments and executables delivered via email and be cautious of browsing unknown/untrusted websites or opening unknown/untrusted URL links.
Do not open unidentified attachments or executables from unknown sources or that you didn't request or were unaware of.
Always err on the side of caution. Even if the sender is known, the source address may be spoofed.
If in doubt, contact the sender to confirm they sent it and why before opening the attachment. If still in doubt, delete the attachment without opening it.

Credit
Symantec would like to thank Renaud Deraison and Nicolas Pouvesle with Tenable Network Security for coordinating on these findings and working closely with Symantec as the issues were resolved.

References
Security Focus, http://www.securityfocus.com , has assigned a Bugtraq ID (BID) to these issues for inclusion in the Security Focus vulnerability database. BID 32347 has been assigned to the authentication bypass issue and BID 32346 has been assigned to the buffer overflow in the data management protocol.

A CVE Candidate name will be requested from the Common Vulnerabilities and Exposures (CVE) initiative for these issues. This advisory will be revised accordingly upon receipt of the CVE Candidate names. These issues are candidates for inclusion in the CVE list ( http://cve.mitre.org ), which standardizes names for security problems.

Related Documents:

http://support.veritas.com/docs/314512

http://support.veritas.com/docs/314515

http://support.veritas.com/docs/314497

http://support.veritas.com/docs/324918

Products Applied:
Backup Exec for Windows Servers 11d (11.0), 11d (11.0) 6235, 11d (11.0) 6235 SP3, 11d (11.0) 7170, 11d (11.0) 7170 SP1, 11d (11.0) 7170 SP2, 11d (11.0) 7170 SP3, 12.0, 12.0 SP1, 12.0 SP2, 12.5
Backup Exec for Windows Servers Remote Agent for Linux/Unix Servers 12.5
Backup Exec for Windows Servers Remote Agent for Macintosh Servers 12.5
Backup Exec for Windows Servers Remote Agent for Windows Servers 11d(11.0), 11d(11.0) 6235, 11d(11.0) 6235 SP3, 11d(11.0) 7170, 11d(11.0) 7170 SP1, 11d(11.0) 7170 SP2, 11d(11.0) 7170 SP2, 11d(11.0) 7170 SP3, 12.0, 12.0 SP1, 12.0 SP2, 12.5

Last Updated: May 18 2009 05:45 PM GMT
Expires on: 05-18-2010

Subscribe to receive critical updates about this document

Subjects:
AIX
   Publishing Status: Kcs
Backup Exec for Windows Servers
   Application: Backup, Patch, Restore
   Publishing Status: Kcs
   Security: Outside Researcher
Backup Exec for Windows Servers Remote Agent for Linux/Unix Servers
   Security: Outside Researcher
Backup Exec for Windows Servers Remote Agent for Macintosh Servers
   Publishing Status: Kcs
Backup Exec for Windows Servers Remote Agent for Windows Servers
   Security: Outside Researcher
Windows Server 2003
   Publishing Status: Kcs

Languages:
Portuguese, Simplified Chinese, Russian, English (US), French, German, Spanish, Italian, Japanese, Chinese, Korean

Operating Systems:
Windows 2000

Advanced Server, Advanced Server SP1, Advanced Server SP2, Advanced Server SP3, Advanced Server SP4, Advanced Server Windows Powered, Advanced Server Windows Powered SP1, Advanced Server Windows Powered SP2, Advanced Server Windows Powered SP3, Advanced Server Windows Powered SP4, Datacenter Server, Datacenter Server SP1, Datacenter Server SP2, Datacenter Server SP3, Datacenter Server SP4, Professional, Professional SP1, Professional SP2, Professional SP3, Professional SP4, SAK, Server, Server SP1, Server SP2, Server SP3, Server SP4, Server Windows Powered, Server Windows Powered SP1, Server Windows Powered SP2, Server Windows Powered SP3, Server Windows Powered SP4

AIX

5.2, 5.3

HP-UX

11.11, 11i v2 (PA-RISC)

Solaris

10, 10 (32-bit), 10 (64-bit), 10 (x86), 10 (x86_64), 9 (x86), 9.0, 9.0 (32-bit)

Linux

RHEL 3.0 (AS), RHEL 3.0 (AS, ES, WS), RHEL 3.0 (ES), RHEL 3.0 (x86_64), RHEL 3.0 U2 (AS, ES, WS), RHEL 3.0 U4, RHEL 4 U4 (x86), RHEL 4 U5, RHEL 4 U6, RHEL 4.0, RHEL 4.0 (P5), RHEL 4.0 (x86_64), RHEL 4.0 U3, RHEL 4.0 U4 (x86_64), RHEL 5, RHEL 5 U1, RHEL 5 U2, RHEL 5.0 (P5), Red Flag DC Server 4.1, Red Flag DC Server 4.1 SP1, Red Flag DC Server 4.1 SP2, Red Flag DC Server 5.0 SP1, Red Flag DC Server 5.0 SP2, SLES 10, SLES 10 (P5), SLES 10 SP1, SLES 10 SP2, SLES 9 (P5), SLES 9 (x86_64), SLES 9 SP1, SLES 9 SP2, SLES 9 SP3, SLES 9 SP4

Windows NT Small Business Server

2000

Windows XP

5.2, Embedded, Home 5.1, Home 5.1 SP1, Home 5.1 SP2, Home 5.1 SP3, Pro 5.1, Pro 5.1 64 bit SP1, Pro 5.1 64 bit SP2, Pro 5.1 64 bit SP3, Pro 5.1 64-bit, Pro 5.1 SP1, Pro 5.1 SP2, Pro 5.1 SP3

Windows Server 2003

DataCenter, DataCenter (IA64), DataCenter (x64), DataCenter SP1, DataCenter SP1(IA64), DataCenter SP1(x64), DataCenter SP2, Datacenter SP2(x64), Enterprise (IA64), Enterprise (x64), Enterprise SP1(IA64), Enterprise SP1(x64), Enterprise SP2, Enterprise SP2(x64), Enterprise Server, Enterprise ServerSP1, R2, Standard Server, Standard Server SP1, Standard Server SP1 (x64), Standard Server SP2, Standard Server SP2 (x64), Standard Server(x64), Storage Server, Storage Server SP1, Storage Server SP2, Web Server, Web Server SP1, Web Server SP2

Windows Small Business Server 2003

Premium Edition, Premium Edition R2, Premium Edition SP1, Standard Edition, Standard Edition R2, Standard Edition SP1, Standard Edition SP2

VMWare ESX

3.0, 3.0.1, 3.0.2

Mac OS X

10.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4, 10.5

Mac OS X Server

10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.5

Windows Vista

Business (x64) 6.0.6000, Business (x86) 6.0.6000, Enterprise 6.0.6000, Ultimate (x64) 6.0.6000, Ultimate (x86) 6.0.6000

Windows Server 2008

DataCenter (x64-64bit), DataCenter (x86-32bit), Enterprise (x64-64bit), Enterprise (x86-32bit), Server Core, Standard (x64-64bit), Standard (x86-32bit), Web Server (x64-64bit), Web Server (x86-32bit)

Windows Small Business Server 2008

Premium Edition, Standard Edition

Symantec World Headquarters:
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com

THE INFORMATION PROVIDED IN THE SYMANTEC SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYMANTEC SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SYMANTEC SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF SYMANTEC SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.