Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2007 > Symantec Security Advisory - Backup Exec for Windows Server

July 2007

Symantec Security Advisory - Backup Exec for Windows Server

ID: 161
Ref: 106/2007
Date: 12 July 2007:10:28:56
Version: 1
Title: Symantec Security Advisory - Backup Exec for Windows Server
Abstract: Symantec Backup Exec for Windows Servers is vulnerable to a denial of service attack from specifically formatted calls to a registered RPC interface.
Vendors affected: Symantec
Operating systems affected: Symantec
Applications affected: Symantec
SYM07-015
July 11, 2007
Symantec Backup Exec for Windows Server:
RPC Interface Heap Overflow, Denial of Service

http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11a.html

Revision History
None

Severity
High

Remote Access Yes
Local Access No
Authentication Required Authorized network access normally required
Exploit publicly available No

Overview
Symantec Backup Exec for Windows Servers is vulnerable to a denial of service
attack (DoS) from specifically formatted calls to a registered RPC interface.

Affected Products
Product Version Build/b> Solution(s)
Backup Exec for Windows Servers 10.0 10.0.5484 HotFix Available
Backup Exec for Windows Servers 10.0 10.0.5520
Backup Exec for Windows Servers 10d 10.1.5629
Backup Exec for Windows Servers 11d 11.0.6235
Backup Exec for Windows Servers 11d 11.0.7170

NOTE: ONLY the products and versions listed above are affected by these
issues. This issue impacts the server only. Client remote agents are NOT
affected by this issue.

Product versions prior to those listed above are NOT supported. Customers
running legacy product versions should upgrade and apply available updates.

Details
IDefense, notified Symantec of a DoS identified in one of the RPC interfaces
in Symantec Backup Exec for Window Servers. The DoS occurs due to improper
validation and subsequent handling of user input. Successful exploitation
requires access to the service port which in a normal installation would
require the attacker to have authorized but non-privileged access to the
network on which the targeted server resides to leverage network
communications. A successful attack would normally result in termination of
the targeted service however, there is a slight potential that a sufficiently
designed and implemented attack could possibly result in arbitrary code
execution on and elevated access to the targeted system.

Symantec response
Symantec engineers did an in-depth review of the reported issue and related
file functionality to further enhance the overall security of the Symantec
Backup Exec product. Symantec engineers have addressed this issue in all
currently supported versions of the identified products. Security updates are
available for all supported products.

Symantec strongly recommends all customers apply the latest security update as
indicated for their supported product versions to protect against threats of
this nature.

Symantec knows of no exploitation of or adverse customer impact from these
issues.

The patches listed above for affected products are available from the
following location:

http://support.veritas.com/docs/289283

Best Practices
As part of normal best practices, Symantec recommends:

Restrict access to administration or management systems to authorized
privileged users

Block remote access to all ports not essential for efficient operation

Restrict remote access, if required, to trusted/authorized systems only

Remove/disable unnecessary accounts or restrict access according to security
policy as required

Run under the principle of least privilege where possible

Keep all operating systems and applications updated with the latest vendor
patches

Follow a multi-layered approach to security. Run both firewall and antivirus
applications, at a minimum, to provide multiple points of detection and
protection to both inbound and outbound threats

Deploy network intrusion detection systems to monitor network traffic for
signs of anomalous or suspicious activity. This may aid in detection of
attacks or malicious activity related to exploitation of latest
vulnerabilities

Credit
Symantec would like to thank iDefense who reported this finding from an
anonymous finder and coordinated closely with Symantec as we resolved the
issue.

References
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE
Candidate CVE-2007-3509 to this issue.
This issue is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

SecurityFocus has assigned Bugtraq ID BID 23897 to this issue for inclusion in
the SecurityFocus vulnerability database.

-------------------------------------------------------------------------------

Symantec takes the security and proper functionality of its products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec follows the principles of responsible disclosure.
Symantec also subscribes to the vulnerability guidelines outlined by the
National Infrastructure Advisory Council (NIAC). Please contact
secure@symantec.com if you feel you have discovered a potential or actual
security issue with a Symantec product. A Symantec Product Security team
member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document
outlining the process we follow in addressing suspected vulnerabilities in our
products. We support responsible disclosure of all vulnerability information
in a timely manner to protect Symantec customers and the security of the
Internet as a result of vulnerability. This document is available from the
location provided below.

Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com.

-------------------------------------------------------------------------------

Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Security Response.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.

Initial Post on: Wednesday, 11-Jul-07 7:00:00
Last modified on: Wednesday, 11-Jul-07 14:56:54
___________________________________________________________________________

CPNI wishes to acknowledge the contributions of Symantec
for the information contained in this advisory.
___________________________________________________________________________

This advisory contains information released by the original author. Some of
the information may have changed since it was released. If the issue affects
you, it may be prudent to retrieve the advisory from the site of the original
source to ensure that you receive the most current
information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by CPNI. The views and opinions of
authors expressed within this notice shall not be used for advertising or
product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for
any loss or damage whatsoever, arising from or in connection with the usage of
information contained within this advisory.

CPNI is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
___________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |