Veritas Backup Exec flaw leaves users vulnerable

By Jo Maitland, News Director 06 Jan 2005 | SearchStorage.com

Digg This!     StumbleUpon     Del.icio.us

A flaw discovered in Veritas Software Inc.'s Backup Exec during December leaves users running the software without a firewall in place open to attack, according to security management firm, Secunia.

The boundary error, discovered by a security researcher in Backup Exec, could give an attacker unauthorized access to administrative functions and rights of Backup Exec during the registration process, Secunia said.

Veritas confirmed the findings in an advisory and recommended that users running the software without a firewall install the following fixes for Backup Exec 8.6 installations and Backup Exec 9.1 installations. In addition, Backup Exec 8.x installations should be upgraded to Backup Exec 8.6 Build 3878 prior to the installation of the hotfix and Backup Exec 9.0 and 9.1 installations should be upgraded to Backup Exec 9.1 Build 4691 Service Pack 1 prior to the installation of the relevant patch, Veritas said.

Symantec: Not just security User spends over $60k on storage security for HIPAA The 5 A's of functional SAN security Is a Symantec-Veritas merger good for users?

Secunia rates the flaw as "moderately critical," explaining that it is caused by a boundary error in the agent browser service when processing received registration requests. This can be exploited to cause a buffer overflow by sending a malicious registration request containing an overly long hostname. Successful exploitation of the flaw would allow an attacker to bog down the software, knock it off base and simultaneously inject malicious code into the system.

To date, Veritas said it has not received any communication from users affected by this issue. However, analysts point out that buffer overflow problems are a common method of attack and have existed in the Microsoft operating system for some time. "This problem is not only affecting Microsoft software but increasingly the software layered on top of it," said a spokesperson at Secunia.

Backup security has typically not been a priority for IT shops, but the issue is coming into focus, analysts said. "Missing backups and the problems associated with not being able to recover data have been the main concern for users … and putting out these fires has meant that security has never come to the front," said Arun Taneja, founder of analyst firm The Taneja Group. He said that the arrival of disk-to-disk backup and snapshot products that enhance data protection are increasing the awareness for storage security.

Taneja noted that the versions of Backup Exec affected by the flaw are the most recent releases of the product, suggesting that the majority of Backup Exec users are probably on one of these releases and potentially at risk.

Veritas critics questioned whether the flaw was prompted by Symantec, its new parent company that dominates the security market, but most believe this was coincidental.

Tags: SAN management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SAN management Unilever maintains 5 PB Fibre Channel SAN storage performance with Virtual Instruments' NetWisdom Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Managing Storage Networks Track (Chicago 2009) Storage-area networks to become increasingly object based Data storage management in virtual server environments 10 Gb Ethernet bodes well for iSCSI Mellanox builds bridge to consolidation Best storage Products of the Year 2008 Wide stripe before you dive into SSD How your SAN will evolve SAN management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Fast Guide to Storage Technologies  (WhatIs.com) fat provisioning  (SearchStorage.com) oversubscription  (SearchStorage.com) RAID  (SearchStorage.com) storage area management  (SearchStorage.com) storage area network  (SearchStorage.com) thin provisioning  (SearchStorage.com) unified storage  (SearchStorage.com) virtual provisioning  (SearchStorage.com) zoned-bit recording  (SearchStorage.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary