VERITAS Backup Exec and NetBackup use Hard-Coded Credentials
Original release date: August 12, 2005
Last revised: August 15, 2005
Source: US-CERT
Systems Affected
- VERITAS Backup Exec for Windows Servers
- VERITAS Backup Exec Remote Agent for Windows Servers
- VERITAS Backup Exec Remote Agent for Unix or Linux Servers
- VERITAS Backup Exec for NetWare Servers
- VERITAS Backup Exec Remote Agent for NetWare Servers
- VERITAS NetBackup for NetWare Media Server Option
Please see SYM05-011 for further information.
Overview
VERITAS Backup Exec and NetBackup components use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component could retrieve arbitrary files from a vulnerable system.
I. Description
VERITAS Backup Exec and NetBackup are network backup and recovery products that support a variety of operating systems. Components of Backup Exec and NetBackup, including Backup Exec Remote Agents, support the Network Data Management Protocol (NDMP). NDMP "...is an open standard protocol for enterprise-wide backup of heterogeneous network-attached storage." By default, Remote Agents listen for NDMP traffic on port 10000/tcp. Other components that do not support NDMP may also listen on 10000/tcp.
VERITAS components including Backup Exec, NetBackup, and Remote Agents use hard-coded administrative authentication credentials. An attacker with knowledge of these credentials and access to an affected component may be able to retrieve arbitrary files from a vulnerable system. Most of these components run with elevated privileges. For example, Remote Agents for Windows run with SYSTEM privileges.
Exploit code containing the hard-coded credentials is publicly available. US-CERT has monitored reports of increased scanning activity on port 10000/tcp. This increase may be caused by attempts to locate vulnerable systems.
US-CERT is tracking this vulnerability as VU#378957.
Please note that VERITAS has recently merged with Symantec.
II. Impact
A remote attacker with knowledge of the hard-coded credentials and access to a Remote Agent or other affected component may be able to retrieve arbitrary files from a vulnerable system.
III. Solution
Apply Updates
Symantec has provided updates for this vulnerability in SYM05-011.
Restrict Network Access
Consider the following actions to mitigate risks associated with this and other vulnerabilities that require access to port 10000/tcp:
-
Use firewalls to limit connectivity so that only authorized backup servers can connect to Remote Agents or other listening components. The default port for these services is 10000/tcp. Consider blocking access at network perimeters and using host-based firewalls to limit access to authorized servers.
-
Changing the default port from 10000/tcp may reduce the chances of exploitation, particularly by automated attacks. Please refer to VERITAS documentation on how to change the default listening port.
For more information, please see US-CERT Vulnerability Note VU#378957.
Appendix A. References
Feedback can be directed to US-CERT Technical Staff.
Produced 2005 by US-CERT, a government organization. Terms of use
Revision History
Aug 12, 2005: Initial release
Aug 15, 2005: Updates available, more accurate list of affected products