Exploit For Unpatched Veritas Backup Bug CirculatesExploit For Unpatched Veritas Backup Bug Circulates

Veritas Backup Exec has an unpatched vulnerability, Symantec said Friday, and an exploit targeting the buggy backup software is in the wild. The only defense is to filter the ports associated with the program.

"An exploit targeting a previously undisclosed flaw affecting Veritas Backup Exec Agent has been released to the public by the Metasploit Foundation," Symantec's Friday alert read.

According to Symantec, a logic bug in the backup software can be exploited to bypass authentication, and give an attacker full access to the system. With that control in hand, the hacker can then tell the Backup Exec Agent to connect to a port designated by the intruder, and transfer any file via the port to a remote PC.

The vulnerability exists only in the Windows versions of Backup Exec 8.5 and later, and doesn't seem to allow for any remote code execution, which would let the attack send files of his making to the PC to, for instance, turn it into a bot or spam zombie, or infect it with a keylogger or backdoor Trojan.

"It's quite likely that exploitation of this issue will commence shortly," Symantec's alert warned.

That may already be happening. Both the SANS Internet Storm Center and Symantec's own DeepSight Threat network have spotted an unusually high level of probing for two of the three ports which Backup Exec uses. The Internet Storm Center reported Friday that it's seen an increase in scans for port 10000, while Symantec noted an additional jump in probes of port 6101 over the day before.

As of mid-day Friday, a patch was not available; in lieu of a fix, Symantec recommended that administrators filter out traffic targeting TCP ports 6101, 6106, and 10000.

Bugs in backup software have been rife this summer, with Computer Associates recently acknowledging flaws in its BrightStor ARCserver Backup, and Symantec's Veritas division owning up to a slew of vulnerabilities in Backup Exec in late June.