Symantec fixes Backup Exec flaw

Symantec warned users of the flaw via its DeepSight Threat Management Service. Backup Exec is a network-enabled backup product Symantec acquired when it purchased storage company Veritas Software Corp. in late 2004.

It said Backup Exec for Netware Servers with remote agent for Windows servers is prone to multiple heap-overflow vulnerabilities that arise because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers.

"Specifically, these issues affect the RPC interfaces of the application and arise when specially crafted calls are processed," Symantec said. "A remote attacker may exploit these vulnerabilities to execute arbitrary code and gain system privileges on a vulnerable computer. Failed attack attempts may result in denial of service conditions as well."

Backup Exec 9.1 and 9.2 for Netware Servers remote agent for Windows servers are vulnerable to these issues, Symantec said, adding, "Reports indicate that these or similar issues also affect Backup Exec for Windows servers, Backup Exec Continuous Protection Server (CPS) remote agent, and other Backup Exec remote agents."

To carry out an attack, Symantec said digital miscreants must identify a vulnerable computer running the affected application, then craft an exploit that sends malicious calls over RCP to the application to trigger one of the vulnerabilities. The exploit would contain excessive data, arbitrary machine code and replacement memory addresses.

"If successful, the attacker-supplied code will be executed, resulting in granting unauthorised access to the remote attacker," Symantec said. "This may result in a full compromise."

Symantec did point out that it's not aware of any exploits at this time.

Backup Exec 9.1.1158.9 for Netware Servers with RAWS 4691.42 Hotfix 58 and Backup Exec 9.2.1401.3 for Netware Servers with RAWS 5629.3 Hotfix 34 have been released to address the flaw, Symantec said.