__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN VERITAS Security Updates [VERITAS Software Security Advisories VX05-002, VX05-003, VX05-005, VX05-006, VX05-007] June 22, 2005 19:00 GMT Number P-232 ______________________________________________________________________________ PROBLEM: Multiple security vulnerabilities have been addressed in Veritas Backup Exec products for Windows and NetWare servers. PLATFORM: Backup Exec 10.0 for Windows Servers rev. 5484 Backup Exec 9.1 for Windows Servers rev. 4691 Backup Exec 9.0 for Windows Servers rev. 4454 Backup Exec 9.0 for Windows Servers rev. 4367 Backup Exec 9.1.307 for NetWare Servers Backup Exec 9.1.306 for NetWare Servers Backup Exec 9.1.1154 for NetWare Servers Backup Exec 9.1.1152.4 for NetWare Servers Backup Exec 9.1.1152 for NetWare Servers Backup Exec 9.1.1151.1 for NetWare Servers Backup Exec 9.1.1127.1 for NetWare Servers Backup Exec 9.1.1067.3 for NetWare Servers Backup Exec 9.1.1067.2 for NetWare Servers Backup Exec 9.0.4202 for NetWare Servers Backup Exec 9.0.4174 for NetWare Servers Backup Exec 9.0.4172 for NetWare Servers Backup Exec 9.0.4170 for NetWare Servers Backup Exec 9.0.4019 for NetWare Servers DAMAGE: VX05-002: A buffer overflow in Backup Exec Remote Agent for Windows Server may allow a remote attacker to elevate privileges and execute arbitrary code. VX05-003: A remote access validation vulnerability in Backup Exec for Windows may allow a remote attacker Administrator privileges over a victim’s system registry. VX05-005: A buffer overflow vulnerability in Backup Exec Web Administration Console may allow an attacker to execute arbitrary code. VX05-006: A remote heap overflow in the Admin Plus Pack Option may allow a remote attacker to elevate privileges. VX05-007: A remote attacker may gain SYSTEM privileges by copying the handle that Backup Exec Remote Agent for Windows Servers uses. SOLUTION: Apply the security updates. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The worst of the vulnerabilities (see Veritas ASSESSMENT: Security Advisory VX05-007) may allow a remote attacker to gain SYSTEM privileges on a Windows Server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-232.shtml ORIGINAL BULLETIN: http://seer.support.veritas.com/docs/276608.htm ADDITIONAL LINKS: Veritas Security Advisory VX05-002 http://seer.support.veritas.com/docs/276604.htm Veritas Security Advisory VX05-003 http://seer.support.veritas.com/docs/276605.htm Veritas Security Advisory VX05-005 http://seer.support.veritas.com/docs/276606.htm Veritas Security Advisory VX05-006 http://seer.support.veritas.com/docs/276607.htm CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-0771, CAN-2005-0773 ______________________________________________________________________________ Please visit the following links to view VX05-002, VX05-003, VX05-005 & Vx05-006: VX05-002: http://seer.support.veritas.com/docs/276604.htm VX05-003: http://seer.support.veritas.com/docs/276605.htm VX05-005: http://seer.support.veritas.com/docs/276606.htm VX05-006: http://seer.support.veritas.com/docs/276607.htm [***** Start VERITAS Software Security Advisories VX05-002, VX05-003, VX05-005, VX05-006, VX05-007 *****] VERITAS Software Security Advisory VX05-007 Details: VX05-007 June XX, 2005 VERITAS Backup Exec Remote Agent for Windows Servers remote process handle access privilege elevations Revision History None Risk Impact High Overview VERITAS is aware of and has resolved an issue in which remote non-privileged users could copy the handle that the Backup Exec Remote Agent for Windows Servers uses, and potentially elevate their privileges to that equal of the SYSTEM user. Affected Products Backup Exec 10.0 for Windows Servers rev. 5484 Backup Exec 9.1 for Windows Servers rev. 4691 Backup Exec 9.0 for Windows Servers rev. 4454 Backup Exec 9.0 for Windows Servers rev. 4367 Backup Exec 9.1.307 for NetWare Servers Backup Exec 9.1.306 for NetWare Servers Backup Exec 9.1.1154 for NetWare Servers Backup Exec 9.1.1152.4 for NetWare Servers Backup Exec 9.1.1152 for NetWare Servers Backup Exec 9.1.1151.1 for NetWare Servers Backup Exec 9.1.1127.1 for NetWare Servers Backup Exec 9.1.1067.3 for NetWare Servers Backup Exec 9.1.1067.2 for NetWare Servers Backup Exec 9.0.4202 for NetWare Servers Backup Exec 9.0.4174 for NetWare Servers Backup Exec 9.0.4172 for NetWare Servers Backup Exec 9.0.4170 for NetWare Servers Backup Exec 9.0.4019 for NetWare Servers Non-Affected Products Backup Exec 10.0 rev. 5520 for Windows Servers Details Remote users can potentially copy the handle that the Backup Exec Remote Agent for Windows Servers uses, and elevate their privileges to that equal of the SYSTEM user. Once users have elevated their privileges, they could then execute arbitrary code on the system. Successful exploitation of this issue could potentially result in privileged access on the targeted system. VERITAS Software's Response VERITAS Engineering has verified and addressed the issue in the affected products. A hotfix has been developed for each of the affected versions to address the issue. Even though VERITAS Technical Services is unaware of any adverse customer impact from this issue, we strongly recommend users of the affected products apply the appropriate upgrade and/or updates immediately to safeguard against threats of this nature. Note: The Remote Agent for Windows Servers (RAWS) will need to be reinstalled on each remote machine after downloading and installing the following list of files: VERITAS Backup Exec 9.0 rev. 4367 for Windows Servers Hotfix 21 http://support.veritas.com/docs/276156 VERITAS Backup Exec 9.0 rev. 4454 for Windows Servers Hotfix 31 http://support.veritas.com/docs/275911 VERITAS Backup Exec 9.1 rev. 4691 for Windows Servers Hotfix 52 http://support.veritas.com/docs/275909 VERITAS Backup Exec 10.0 rev. 5484 for Windows Servers Hotfix 24 http://support.veritas.com/docs/275514 or VERITAS Backup Exec 10.0 rev. 5484 for Windows Servers - upgrade to Backup Exec 10.0 rev. 5520 http://support.veritas.com/docs/277181 VERITAS Backup Exec 9.0 rev. 4202 for NetWare Servers Hotfix 1 http://support.veritas.com/docs/277423 VERITAS Backup Exec 9.1.xxxx for NetWare Servers upgrade to Backup Exec 9.1.1156 http://support.veritas.com/docs/277421 CVE A CVE candidate number will be requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once the CVE candidate number has been assigned. This issue is a candidate for inclusion in the CVE list ( http://cve.mitre.org ), which standardizes names for security problems. Related Documents: 275514: be5484RHF24_275514.exe 10.0.5484 Hotfix 24 - Backup Exec for Windows Servers May 2005 Security Rollup *Requires Backup Exec 10.0.5484 Service Pack 1 http://support.veritas.com/docs/275514 275909: be4691RHF52_275909.exe 9.1 4691 Hotfix 52 - Backup Exec for Windows Servers May 2005 Security Rollup *Requires Backup Exec 9.1 4691 Service Pack 2 http://support.veritas.com/docs/275909 275911: be4454RHF31_275911.exe 9.0 4454 Hotfix 31 - Backup Exec for Windows Servers May 2005 Security Rollup *Requires Backup Exec 9.0 4454 Service Pack 1 http://support.veritas.com/docs/275911 276156: be4367RHF21_276156.exe 9.0 4367 Hotfix 21 - Backup Exec for Windows Servers May 2005 Security Rollup *Requires Backup Exec 9.0 4367 Service Pack 1 http://support.veritas.com/docs/276156 277181: Q175168.BEWS10.0.5520.ESD_277181.zip VERITAS Backup Exec (tm) 10.0 rev. 5520 for Windows Servers Installation Files http://support.veritas.com/docs/277181 277423: B904202HF1_277423.EXE VERITAS Backup Exec 9.0.4202 for NetWare Servers Hotfix 1 http://support.veritas.com/docs/277423 277429: Patch summary for Security Advisories VX05-001, VX05-002, VX05-003, VX05-005, VX05-006, VX05-007 http://support.veritas.com/docs/277429 Products Applied: Backup Exec for NetWare 9.0, 9.1 Backup Exec for Windows Servers 10.0, 10.0 5484, 9.0, 9.0 4367, 9.0 4454, 9.1, 9.1 4691 Last Updated: June 22 2005 05:19 PM GMT Expires on: 04-26-2015 Subscribe Via E-Mail IconSubscribe to this document Subjects: Backup Exec for NetWare Application: Backup, Restore, Security Publishing Status: Techalert Backup Exec for Windows Servers Application: Backup, Documentation, Faq, Restore, Troubleshooting Publishing Status: Techalert Languages: English (US), French, German, Spanish, Italian, Japanese, Chinese, Korean Operating Systems: NetWare 4.2, 5.0, 5.1, 6.0, 6.5 Windows 2000 Advanced Server, Advanced Server Windows Powered, Datacenter Server, Professional, SAK, Server, Server Windows Powered Windows NT 4.0 Server SP6a, 4.0 Workstation SP6a Windows NT Small Business Server 2000, 4.5 Windows XP Home 5.1, Pro 5.1 Windows Server 2003 DataCenter, Enterprise Server, Standard Server, Storage Server, Web Server Windows Small Business Server 2003 Premium Edition, Standard Edition VERITAS Technical Services Document VERITAS Software 350 Ellis Street Mountain View, California 94043 World Wide Web: http://www.veritas.com, Tech Support Web: http://support.veritas.com, E-Mail Support: http://seer.support.veritas.com/email_forms, FTP: ftp://ftp.support.veritas.com or http://ftp.support.veritas.com THE INFORMATION PROVIDED IN THE VERITAS SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. VERITAS SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL VERITAS SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF VERITAS SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. [***** End VERITAS Software Security Advisories VX05-002, VX05-003, VX05-005, VX05-006, VX05-007 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of VERITAS for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-222: Internet Explorer Cumulative Security Update P-223: Vulnerability in HTML Help Could Allow Remote Code Execution (896358) P-224: Windows Web Client Service Vulnerability P-225: Outlook Web Access for Exchange Server 5.5 Vulnerability P-226: Outlook Express Cumulative Update P-227: Step-by-Step Interactive Training Vulnerability P-228: ISA Server 2000 Cumulative Update P-229: Vulnerability in Microsoft Agent Could Allow Spoofing (890046) P-230: Vulnerability in Telnet Client Could Allow Information Disclosure (896428) P-231: Security Vulnerability in the lpadmin(1M) Utility