The Department of Homeland Security's US-CERT (Computer Emergency Readiness Team) has issued an alert stating that Veritas Backup Exec software is being actively exploited. The Technical Cyber Security Alert comes a week after the first public disclosure of the Veritas vulnerability.
The active exploitation of Veritas Backup Exec software is the result of a buffer overflow condition that could potentially allow a malicious remote user to execute arbitrary code.
The buffer overflow is triggered by a flaw in how the remote agent software validates incoming packets. Veritas Backup Exec software is a network-enabled recovery and backup solution that listens on TCP port 10000 for incoming connections. Veritas software is shipped by a number of vendors, including NEC and Hitachi.
Security research firm iDefense first discovered the flaw in March and issued a joint public disclosure with Veritas on June 22. According to the iDefense advisory the exploitation does not require authentication and can occur "fairly reliably since the overflow is able to control code execution via the structured exception handler."http://o1.qnsr.com/log/p.gif?;n=203;c=204655439;s=10655;x=7936;f=201806121855330;u=j;z=TIMESTAMP;a=20400368;e=i
According to Michael Sutton, director of iDefense Labs, a public exploit came out for this vulnerability last Friday.
"Over the weekend, we noticed increased port scanning on port 10000, so it's safe to assume that the two are related," Sutton said. "This vulnerability was relatively easy to exploit, so it's not surprising that a public exploit emerged following the coordinated public disclosure."
US-CERT confirmed an increased scanning activity on port 10000/tcp, and that exploit code is publicly available.
"This increase is believed to be attempts to locate vulnerable systems running the Veritas Backup Exec Remote Agent," the alert states.
Veritas issued a hotfix patch at the time of the joint public disclosure of the vulnerability by iDefense and Veritas. Veritas claimed in its advisory that it was "unaware of any adverse customer impact from this issue." Users were strongly recommended to update their software with the hotfix.
"The patch does fix the vulnerability," Sutton said. "We were able to work with the vendor ahead of time and assist in testing the patch."
US-CERT and iDefense have also recommended that users implement some form of firewall network perimeter protection to restrict incoming connections to only trusted workstations.
Article courtesy of Internet News