From: Mike '/m' 


Well yeah, the attacker is posing as a backup server.  ;-)


Didn't you have something to say about these types of vulns a year or two
ago, way before they all started?   You're prescient.

What stocks do you own?

 /m


On Fri, 12 Aug 2005 21:25:00 -0400, "Geo"  wrote:

>Sooooo glad I don't run any backup software that uses an agent... read
>section II Impact.
>
>Geo.
>
>-----Original Message-----
>From: CERT Advisory 
>Date: Fri, 12 Aug 2005 18:16:36
>To:cert-advisory{at}cert.org
>Subject: US-CERT Technical Cyber Security Alert TA05-224A -- VERITAS Backup
>Exec Uses Hard-Coded Authentication Credentials
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>                     National Cyber Alert System
>
>               Technical Cyber Security Alert TA05-224A
>
>
>VERITAS Backup Exec Uses Hard-Coded Authentication Credentials
>
>   Original release date: August 12, 2005
>   Last revised: --
>   Source: US-CERT
>
>
>Systems Affected
>
>     * VERITAS Backup Exec Remote Agent for Windows Servers
>
>
>Overview
>
>   VERITAS Backup Exec Remote Agent for Windows Servers uses
>   hard-coded administrative authentication credentials. An attacker
>   with knowledge of these credentials and access to the Remote Agent
>   could retrieve arbitrary files from a vulnerable system.
>
>
>I. Description
>
>   VERITAS Backup Exec Remote Agent for Windows Servers is a data
>   backup and recovery solution that supports the Network Data
>   Management Protocol (NDMP). NDMP "...is an open standard protocol
>   for enterprise-wide backup of heterogeneous network-attached
>   storage." By default, the Remote Agent listens for NDMP traffic on
>   port 10000/tcp.
>
>   The VERITAS Backup Exec Remote agent uses hard-coded administrative
>   authentication credentials. An attacker with knowledge of these
>   credentials and access to the Remote Agent may be able to retrieve
>   arbitrary files from a vulnerable system. The Remote Agent runs
>   with SYSTEM privileges.
>
>   Exploit code, including the credentials, is publicly available.
>   US-CERT has also seen reports of increased scanning activity on
>   port 10000/tcp. This increase may be caused by attempts to locate
>   vulnerable systems.
>
>   US-CERT is tracking this vulnerability as VU#378957.
>
>   Please note that VERITAS has recently merged with Symantec.
>
>
>II. Impact
>
>   A remote attacker with knowledge of the credentials and access to
>   the Remote Agent may be able to retrieve arbitrary files from a
>   vulnerable system.
>
>
>III. Solution
>
>Restrict access
>
>   US-CERT recommends taking the following actions to reduce the chances
>   of exploitation:
>
>     * Use firewalls to limit connectivity so that only authorized backup
>       server(s) can connect to the Remote Agent. The default port for
>       this service is port 10000/tcp.
>
>     * At a minimum, implement some basic protection at the network
>       perimeter. When developing rules for network traffic filters,
>       realize that individual installations may operate on
>       non-standard ports.
>
>     * In addition, changing the Remote Agent's default port from
>       10000/tcp may reduce the chances of exploitation. Please refer
>       to VERITAS support document 255174 for instructions on how to
>       change the default port.
>
>   For more information, please see US-CERT Vulnerability Note VU#378957.
>
>
>Appendix A. References
>
>     * US-CERT Vulnerability Note VU#378957 -
>       http://www.kb.cert.org/vuls/id/378957>
>
>     * Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
>       File Download Vulnerability -
>       http://securityresponse.symantec.com/avcenter/security/Content/14
>       551.html>
>
>     * VERITAS support document 255831 -
>       http://seer.support.veritas.com/docs/255831.htm>
>
>     * VERITAS support document 258334 -
>       http://seer.support.veritas.com/docs/258334.htm>
>
>     * VERITAS support document 255174 -
>       http://seer.support.veritas.com/docs/255174.htm>
>
>     * What is NDMP? - http://www.ndmp.org/info/faq.shtml#1>
>
>
> ____________________________________________________________________
>
>   The most recent version of this document can be found at:
>
>     http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
> ____________________________________________________________________
>
>   Feedback can be directed to US-CERT Technical Staff. Please send
>   email to  with "TA05-224A Feedback
VU#378957" in the
>   subject.
> ____________________________________________________________________
>
>  To unsubscribe:
>
>    http://www.us-cert.gov/cas/#unsubscribe>
> ____________________________________________________________________
>
>   Produced 2005 by US-CERT, a government organization.
>
>   Terms of use:
>
>     http://www.us-cert.gov/legal.html>
> ____________________________________________________________________
>
>
>Revision History
>
>   Aug 12, 2005: Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (GNU/Linux)
>
>iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
>zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
>KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
>7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
>V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
>AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
>=cO6/
>-----END PGP SIGNATURE-----
>

--- BBBS/NT v4.01 Flag-5