TITLE: VERITAS Backup Exec Denial of Service and Format String Vulnerabilities SECUNIA ADVISORY ID: SA19242 VERIFY ADVISORY: http://secunia.com/advisories/19242/ CRITICAL: Less critical IMPACT: DoS, System access WHERE: >From local network SOFTWARE: VERITAS Backup Exec Remote Agent 9.x for Windows Servers http://secunia.com/product/7808/ VERITAS Backup Exec Remote Agent 10.x for Windows Servers http://secunia.com/product/7812/ VERITAS Backup Exec 9.x http://secunia.com/product/460/ VERITAS Backup Exec 10.x http://secunia.com/product/5091/ DESCRIPTION: Some vulnerabilities have been reported in VERITAS Backup Exec, which can be exploited by malicious users to cause a DoS and potentially to compromise a vulnerable system, and by malicious people to cause a DoS (Denial of Service). 1) Some errors exist within the Backup Exec Remote Agent when handling certain received malformed packets. This can be exploited to cause memory access violations or exhaust system resources, thus causing the service to crash or stop responding until it is restarted. Successful exploitation causes DoS of the backup functionality. The vulnerabilities have been reported in the following products: * Backup Exec 9.2 for NetWare Servers - All Agents (Netware, Windows, & Linux/Unix). * Backup Exec 9.1 for NetWare Servers - All Agents (NetWare, Windows, & Linux/Unix). * Backup Exec 10d (10.1) for Windows Servers rev. 5629 - All Remote Agents (RAWS, RANW, & RALUS) * Backup Exec 10.0 for Windows Servers rev. 5520 - All Remote Agents (RAWS, RANW, & RALUS) * Backup Exec 10.0 for Windows Servers rev. 5484 - All Remote Agents (RAWS, RANW, & RALUS) * Backup Exec 9.1 for Windows Servers rev. 4691 - Remote Agent for Windows Servers (RAWS) 2) A format string error exists within the job logging functionality of Backup Exec for Windows. This can be exploited to cause a DoS and may allow arbitrary code execution when a file with specially-crafted filename is backed up. Successful exploitation requires that job logging is configured with "full details" enabled (non-default), and that a malicious user is able to create a file with specially-crafted filename on a system that is backed up. The vulnerability has been reported in the following products: * Backup Exec 10d (10.1) for Windows Servers rev. 5629 * Backup Exec 10.0 for Windows Servers rev. 5520 * Backup Exec 10.0 for Windows Servers rev. 5484 * Backup Exec 9.1 for Windows Servers rev. 4691 SOLUTION: Apply updates. -- RAWS (Remote Agent for Windows Servers) -- Backup Exec 10d (10.1) for Windows Servers rev. 5629, Hotfix 20 http://support.veritas.com/docs/282256 Backup Exec 10.0 for Windows Servers rev. 5520, Hotfix 26 http://support.veritas.com/docs/282258 Backup Exec 10.0 for Windows Servers rev. 5484, Hotfix 33 http://support.veritas.com/docs/282259 Backup Exec 9.1 for Windows Servers rev. 4691, Hotfix 56 http://support.veritas.com/docs/282260 -- RALUS (Remote Agent for Linux & Unix Servers) -- Backup Exec 10d (10.1) for Windows Servers rev. 5629, Hotfix 21 http://support.veritas.com/docs/282308 Backup Exec 10.0 for Windows Servers rev. 5520, Hotfix 27 http://support.veritas.com/docs/282312 Backup Exec 10.0 for Windows Servers rev. 5484, Hotfix 34 http://support.veritas.com/docs/282313 -- Remote Agent for Netware Servers -- Backup Exec 10.x for Windows Servers (use the updated RANW 9.1.1158.9) http://support.veritas.com/docs/282302 Backup Exec 9.1.1158.9 Remote Agent for NetWare Servers http://support.veritas.com/docs/282302 -- Backup Exec 9.2 for NetWare Servers -- Backup Exec 9.2.1401.3 for NetWare Servers http://support.veritas.com/docs/282293 -- Backup Exec 9.1 for NetWare Servers -- Backup Exec 9.1.1158.9 for NetWare Servers http://support.veritas.com/docs/282299 PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2006.03.17a.html http://securityresponse.symantec.com/avcenter/security/Content/2006.03.17b.html http://seer.support.veritas.com/docs/282279.htm http://seer.support.veritas.com/docs/282254.htm http://seer.support.veritas.com/docs/282255.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------