A flaw discovered in Veritas Software Inc.'s Backup Exec during December leaves users running the software without a firewall in place open to attack, according to security management firm, Secunia.
The boundary error, discovered by a security researcher in Backup Exec, could give an attacker unauthorized access to administrative functions and rights of Backup Exec during the registration process, Secunia said.
Veritas confirmed the findings in an advisory and recommended that users running the software without a firewall install the following fixes for Backup Exec 8.6 installations and Backup Exec 9.1 installations. In addition, Backup Exec 8.x installations should be upgraded to Backup Exec 8.6 Build 3878 prior to the installation of the hotfix and Backup Exec 9.0 and 9.1 installations should be upgraded to Backup Exec 9.1 Build 4691 Service Pack 1 prior to the installation of the relevant patch, Veritas said.
Secunia rates the flaw as "moderately critical," explaining that it is caused by a boundary error in the agent browser service when processing received registration requests. This can be exploited to cause a buffer overflow by sending a malicious registration request containing an overly long hostname. Successful exploitation of the flaw would allow an attacker to bog down the software, knock it off base and simultaneously inject malicious code into the system.
To date, Veritas said it has not received any communication from users affected by this issue. However, analysts point out that buffer overflow problems are a common method of attack and have existed in the Microsoft operating system for some time. "This problem is not only affecting Microsoft software but increasingly the software layered on top of it," said a spokesperson at Secunia.
Backup security has typically not been a priority for IT shops, but the issue is coming into focus, analysts said. "Missing backups and the problems associated with not being able to recover data have been the main concern for users … and putting out these fires has meant that security has never come to the front," said Arun Taneja, founder of analyst firm The Taneja Group. He said that the arrival of disk-to-disk backup and snapshot products that enhance data protection are increasing the awareness for storage security.
Taneja noted that the versions of Backup Exec affected by the flaw are the most recent releases of the product, suggesting that the majority of Backup Exec users are probably on one of these releases and potentially at risk.
Veritas critics questioned whether the flaw was prompted by Symantec, its new parent company that dominates the security market, but most believe this was coincidental.