This flaw specifically affected the Plug and Play (PnP) service across Windows 2000, XP, and Server 2003. An unauthenticated remote attacker could exploit this weakness by sending a specially crafted Universal Plug and Play (UPnP) request.
Successful exploitation granted the attacker full system control with SYSTEM privileges. The alert was particularly urgent as the vulnerability was being actively exploited in the wild, notably by the Zotob worm family.
Microsoft released security bulletin MS05-039 to patch this critical flaw. Organizations were urged to apply the update immediately to prevent widespread compromise.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-224A
VERITAS Backup Exec Uses Hard-Coded Authentication Credentials
Original release date: August 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* VERITAS Backup Exec Remote Agent for Windows Servers
Overview
VERITAS Backup Exec Remote Agent for Windows Servers uses
hard-coded administrative authentication credentials. An attacker
with knowledge of these credentials and access to the Remote Agent
could retrieve arbitrary files from a vulnerable system.
I. Description
VERITAS Backup Exec Remote Agent for Windows Servers is a data
backup and recovery solution that supports the Network Data
Management Protocol (NDMP). NDMP "...is an open standard protocol
for enterprise-wide backup of heterogeneous network-attached
storage." By default, the Remote Agent listens for NDMP traffic on
port 10000/tcp.
The VERITAS Backup Exec Remote agent uses hard-coded administrative
authentication credentials. An attacker with knowledge of these
credentials and access to the Remote Agent may be able to retrieve
arbitrary files from a vulnerable system. The Remote Agent runs
with SYSTEM privileges.
Exploit code, including the credentials, is publicly available.
US-CERT has also seen reports of increased scanning activity on
port 10000/tcp. This increase may be caused by attempts to locate
vulnerable systems.
US-CERT is tracking this vulnerability as VU#378957.
Please note that VERITAS has recently merged with Symantec.
II. Impact
A remote attacker with knowledge of the credentials and access to
the Remote Agent may be able to retrieve arbitrary files from a
vulnerable system.
III. Solution
Restrict access
US-CERT recommends taking the following actions to reduce the chances
of exploitation:
* Use firewalls to limit connectivity so that only authorized backup
server(s) can connect to the Remote Agent. The default port for
this service is port 10000/tcp.
* At a minimum, implement some basic protection at the network
perimeter. When developing rules for network traffic filters,
realize that individual installations may operate on
non-standard ports.
* In addition, changing the Remote Agent's default port from
10000/tcp may reduce the chances of exploitation. Please refer
to VERITAS support document 255174 for instructions on how to
change the default port.
For more information, please see US-CERT Vulnerability Note VU#378957.
Appendix A. References
* US-CERT Vulnerability Note VU#378957 -
<http://www.kb.cert.org/vuls/id/378957>
* Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
File Download Vulnerability -
<http://securityresponse.symantec.com/avcenter/security/Content/14
551.html>
* VERITAS support document 255831 -
<http://seer.support.veritas.com/docs/255831.htm>
* VERITAS support document 258334 -
<http://seer.support.veritas.com/docs/258334.htm>
* VERITAS support document 255174 -
<http://seer.support.veritas.com/docs/255174.htm>
* What is NDMP? - <http://www.ndmp.org/info/faq.shtml#1>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <
subject.
____________________________________________________________________
To unsubscribe:
<http://www.us-cert.gov/cas/#unsubscribe>
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Aug 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
=cO6/
-----END PGP SIGNATURE-----