TITLE:
VERITAS Backup Exec Denial of Service and Format String
Vulnerabilities

SECUNIA ADVISORY ID:
SA19242

VERIFY ADVISORY:
http://secunia.com/advisories/19242/

CRITICAL:
Less critical

IMPACT:
DoS, System access

WHERE:
>From local network

SOFTWARE:
VERITAS Backup Exec Remote Agent 9.x for Windows Servers
http://secunia.com/product/7808/
VERITAS Backup Exec Remote Agent 10.x for Windows Servers
http://secunia.com/product/7812/
VERITAS Backup Exec 9.x
http://secunia.com/product/460/
VERITAS Backup Exec 10.x
http://secunia.com/product/5091/

DESCRIPTION:
Some vulnerabilities have been reported in VERITAS Backup Exec, which
can be exploited by malicious users to cause a DoS and potentially to
compromise a vulnerable system, and by malicious people to cause a
DoS (Denial of Service).

1) Some errors exist within the Backup Exec Remote Agent when
handling certain received malformed packets. This can be exploited to
cause memory access violations or exhaust system resources, thus
causing the service to crash or stop responding until it is
restarted.

Successful exploitation causes DoS of the backup functionality.

The vulnerabilities have been reported in the following products:
* Backup Exec 9.2 for NetWare Servers - All Agents (Netware, Windows,
& Linux/Unix).
* Backup Exec 9.1 for NetWare Servers - All Agents (NetWare, Windows,
& Linux/Unix).
* Backup Exec 10d (10.1) for Windows Servers rev. 5629 - All Remote
Agents (RAWS, RANW, & RALUS)
* Backup Exec 10.0 for Windows Servers rev. 5520 - All Remote Agents
(RAWS, RANW, & RALUS)
* Backup Exec 10.0 for Windows Servers rev. 5484 - All Remote Agents
(RAWS, RANW, & RALUS)
* Backup Exec 9.1 for Windows Servers rev. 4691 - Remote Agent for
Windows Servers (RAWS)

2) A format string error exists within the job logging functionality
of Backup Exec for Windows. This can be exploited to cause a DoS and
may allow arbitrary code execution when a file with specially-crafted
filename is backed up.

Successful exploitation requires that job logging is configured with
"full details" enabled (non-default), and that a malicious user is
able to create a file with specially-crafted filename on a system
that is backed up.

The vulnerability has been reported in the following products:
* Backup Exec 10d (10.1) for Windows Servers rev. 5629
* Backup Exec 10.0 for Windows Servers rev. 5520
* Backup Exec 10.0 for Windows Servers rev. 5484
* Backup Exec 9.1 for Windows Servers rev. 4691

SOLUTION:
Apply updates.

-- RAWS (Remote Agent for Windows Servers) --

Backup Exec 10d (10.1) for Windows Servers rev. 5629, Hotfix 20
http://support.veritas.com/docs/282256

Backup Exec 10.0 for Windows Servers rev. 5520, Hotfix 26
http://support.veritas.com/docs/282258

Backup Exec 10.0 for Windows Servers rev. 5484, Hotfix 33
http://support.veritas.com/docs/282259

Backup Exec 9.1 for Windows Servers rev. 4691, Hotfix 56
http://support.veritas.com/docs/282260

-- RALUS (Remote Agent for Linux & Unix Servers) --

Backup Exec 10d (10.1) for Windows Servers rev. 5629, Hotfix 21
http://support.veritas.com/docs/282308

Backup Exec 10.0 for Windows Servers rev. 5520, Hotfix 27
http://support.veritas.com/docs/282312

Backup Exec 10.0 for Windows Servers rev. 5484, Hotfix 34
http://support.veritas.com/docs/282313

-- Remote Agent for Netware Servers --

Backup Exec 10.x for Windows Servers (use the updated RANW
9.1.1158.9)
http://support.veritas.com/docs/282302

Backup Exec 9.1.1158.9 Remote Agent for NetWare Servers
http://support.veritas.com/docs/282302 

-- Backup Exec 9.2 for NetWare Servers --

Backup Exec 9.2.1401.3 for NetWare Servers
http://support.veritas.com/docs/282293

-- Backup Exec 9.1 for NetWare Servers --

Backup Exec 9.1.1158.9 for NetWare Servers
http://support.veritas.com/docs/282299

PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.

ORIGINAL ADVISORY:
http://securityresponse.symantec.com/avcenter/security/Content/2006.03.17a.html
http://securityresponse.symantec.com/avcenter/security/Content/2006.03.17b.html
http://seer.support.veritas.com/docs/282279.htm
http://seer.support.veritas.com/docs/282254.htm
http://seer.support.veritas.com/docs/282255.htm

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------