From: Ellen K. 

I sent this to our systems guys when I got it also, no idea whether they
pay attention when I forward stuff, but...

Meanwhile today when I tried to use our webmail, IE kept trying to go to an
address in the 10.xxx.xxx.xxx range (the one it tried to go to is in fact
the internal address of our mailserver) so of course I kept getting
"the page cannot be displayed"...   After investigating,
ServerGuy
reported that the Veritas agent had hung a file on the mailserver while
trying to back it up and that this supposedly caused the problem.



On Fri, 12 Aug 2005 21:25:00 -0400, "Geo" 
wrote in message :

>Sooooo glad I don't run any backup software that uses an agent... read
>section II Impact.
>
>Geo.
>
>-----Original Message-----
>From: CERT Advisory 
>Date: Fri, 12 Aug 2005 18:16:36
>To:cert-advisory{at}cert.org
>Subject: US-CERT Technical Cyber Security Alert TA05-224A -- VERITAS Backup
>Exec Uses Hard-Coded Authentication Credentials
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>                     National Cyber Alert System
>
>               Technical Cyber Security Alert TA05-224A
>
>
>VERITAS Backup Exec Uses Hard-Coded Authentication Credentials
>
>   Original release date: August 12, 2005
>   Last revised: --
>   Source: US-CERT
>
>
>Systems Affected
>
>     * VERITAS Backup Exec Remote Agent for Windows Servers
>
>
>Overview
>
>   VERITAS Backup Exec Remote Agent for Windows Servers uses
>   hard-coded administrative authentication credentials. An attacker
>   with knowledge of these credentials and access to the Remote Agent
>   could retrieve arbitrary files from a vulnerable system.
>
>
>I. Description
>
>   VERITAS Backup Exec Remote Agent for Windows Servers is a data
>   backup and recovery solution that supports the Network Data
>   Management Protocol (NDMP). NDMP "...is an open standard protocol
>   for enterprise-wide backup of heterogeneous network-attached
>   storage." By default, the Remote Agent listens for NDMP traffic on
>   port 10000/tcp.
>
>   The VERITAS Backup Exec Remote agent uses hard-coded administrative
>   authentication credentials. An attacker with knowledge of these
>   credentials and access to the Remote Agent may be able to retrieve
>   arbitrary files from a vulnerable system. The Remote Agent runs
>   with SYSTEM privileges.
>
>   Exploit code, including the credentials, is publicly available.
>   US-CERT has also seen reports of increased scanning activity on
>   port 10000/tcp. This increase may be caused by attempts to locate
>   vulnerable systems.
>
>   US-CERT is tracking this vulnerability as VU#378957.
>
>   Please note that VERITAS has recently merged with Symantec.
>
>
>II. Impact
>
>   A remote attacker with knowledge of the credentials and access to
>   the Remote Agent may be able to retrieve arbitrary files from a
>   vulnerable system.
>
>
>III. Solution
>
>Restrict access
>
>   US-CERT recommends taking the following actions to reduce the chances
>   of exploitation:
>
>     * Use firewalls to limit connectivity so that only authorized backup
>       server(s) can connect to the Remote Agent. The default port for
>       this service is port 10000/tcp.
>
>     * At a minimum, implement some basic protection at the network
>       perimeter. When developing rules for network traffic filters,
>       realize that individual installations may operate on
>       non-standard ports.
>
>     * In addition, changing the Remote Agent's default port from
>       10000/tcp may reduce the chances of exploitation. Please refer
>       to VERITAS support document 255174 for instructions on how to
>       change the default port.
>
>   For more information, please see US-CERT Vulnerability Note VU#378957.
>
>
>Appendix A. References
>
>     * US-CERT Vulnerability Note VU#378957 -
>       http://www.kb.cert.org/vuls/id/378957>
>
>     * Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
>       File Download Vulnerability -
>       http://securityresponse.symantec.com/avcenter/security/Content/14
>       551.html>
>
>     * VERITAS support document 255831 -
>       http://seer.support.veritas.com/docs/255831.htm>
>
>     * VERITAS support document 258334 -
>       http://seer.support.veritas.com/docs/258334.htm>
>
>     * VERITAS support document 255174 -
>       http://seer.support.veritas.com/docs/255174.htm>
>
>     * What is NDMP? - http://www.ndmp.org/info/faq.shtml#1>
>
>
> ____________________________________________________________________
>
>   The most recent version of this document can be found at:
>
>     http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
> ____________________________________________________________________
>
>   Feedback can be directed to US-CERT Technical Staff. Please send
>   email to  with "TA05-224A Feedback
VU#378957" in the
>   subject.
> ____________________________________________________________________
>
>  To unsubscribe:
>
>    http://www.us-cert.gov/cas/#unsubscribe>
> ____________________________________________________________________
>
>   Produced 2005 by US-CERT, a government organization.
>
>   Terms of use:
>
>     http://www.us-cert.gov/legal.html>
> ____________________________________________________________________
>
>
>Revision History
>
>   Aug 12, 2005: Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (GNU/Linux)
>
>iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
>zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
>KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
>7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
>V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
>AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
>=cO6/
>-----END PGP SIGNATURE-----
>

--- BBBS/NT v4.01 Flag-5