Hackers exploit backup tool flaw

Internet security organisation the Cert Coordination Center have warned that hackers are exploiting flaws in Veritas Backup Exec software. Cert said firms should check their firewall configurations to ensure that only specified systems can connect to systems running the Veritas backup agent software on TCP port 10000. However, that port is also used by other popular apps, so extra care is needed.

"Specially crafted authentication messages can trigger [a] buffer overflow, making it possible for an unauthenticated attacker to exploit this vulnerability. Exploit code for this [flaw] is publicly available. In addition, we have received credible reports that this vulnerability is being actively exploited to execute arbitrary code with Local System privileges. We have also seen increased scanning activity on port 10000/tcp. This increase is believed to be attempts to locate vulnerable systems running the Veritas Backup Exec Remote Agent," said Cert.

The Backup Exec flaw is one of several publicised a week earlier by Veritas when it released patches for them. But firms need time to test patches before installing them, and are often slow to update vulnerable systems. This  leaves a window of opportunity for hackers to break into servers and perhaps install trojan software or steal data.

The problem is particularly acute as this type of backup software is usually installed on critical systems rather than desktops and laptops that can be easily repaired using disk imaging software and remote management tools. "As the Backup Exec Remote Agent may be running on workstations as well as servers, [the remote agent buffer overflow] vulnerability may provide greater opportunity for attack than the other vulnerabilities," said Cert.

Cert advised firms to use firewalls to limit connectivity so only backup servers can connect to the systems being backed up. The standard port for this service is port 10000/tcp. "When developing rules for network traffic filters, realise that individual installations may operate on non-standard ports."