Re: vulnerability and sp3

Peter_Yaeger · ‎08-12-2005

I installed sp3 for 9.1 last week with no problems. Today I had a nessus scan done on my box and veritas came back vulnerable to a few security issues. The primary one in question is for doc. id 275909. Any thoughts on this one?

Thanks,
Pete

Shyam_Sundar · ‎08-15-2005

Hello,

For information on the recent VERITAS Backup Exec security vulnerabilities, including links to the downloads for the necessary hotfixes, please refer to the following document:
Patch summary for Security Advisories VX05-001, VX05-002, VX05-003, VX05-005, VX05-006, VX05-007

http://seer.support.veritas.com/docs/277429.htm

Please write to us if you have further queries.

Note : If we do not receive your reply within two business days, this post would be marked ‘assumed answered’ and would be moved to ‘answered questions’ pool.

Thanks.

Peter_Yaeger · ‎08-15-2005

Well, that didn't work. When I went to install the 277429 patch as instructed it insists upon having sp2 installed. Obviously I already have sp3 installed. When I try to go back and install sp2 it also tells me I need sp2. In other words, I'm stuck. 9.1 sp3 won't let me do anything. Help.

Scott_Filler · ‎08-15-2005

I would think that any security fixes that were issued prior to SP3 should be rolled into this service pack.
Is this not the case??
My company is looking into the SP3 update primarily because of the Remote Agent hardcoated password vulnerability. Do I need to install the security rollup BEFORE installing SP3?

Peter_Yaeger · ‎08-15-2005

I was fully patched before installing sp3. Now it seems I'm not. I'd hold off until this gets cleared up.

Renuka_- · ‎08-16-2005

Hello,
Sp3 for V9.1 covers the following vulnerabilities:
ETrack: 320362 buffer overrun situation Unauthenticated Remote Stack Overflow
ETrack: 320652 Veritas Backup Exec Server Remote Registry Access Vulnerability
ETrack: 321381 VERITAS Backup Exec Agent CONNECT_CLIENT_AUTH Remote Buffer Overflow Vulnerability - iDEFENSE Security Advisory
ETrack: 321382 iDEFENSE Security Advisory VERITAS Backup Exec Agent Error Status Remote Denial of Service Vulnerability
ETrack: 322824 Duplicate Handle Access Security Vulnerability in RAWS

These are also fixed by applying Hotfix52 on Sp2 V9.1. All previous hotfixes and secutrity rollouts are included in service pack3.

Also please note that the application of the service pack3 does not require that the hotfix52 or previous two service packs be applied first.

Additional Information :
For information on the recent VERITAS Backup Exec security vulnerabilities, including links to the downloads for the necessary hotfixes, please refer to the following document:
Patch summary for Security Advisories VX05-001, VX05-002, VX05-003, VX05-005, VX05-006, VX05-007

http://seer.support.veritas.com/docs/277429.htm

NOTE : If we do not receive your reply within two business days, this post would be marked assumed answeredand would be moved toanswered questions pool.

Justin_Guidroz · ‎08-18-2005

I can concur that today when I did a Nessus scan of my media server, running 9.1 with SP3. It is now vulnerable again to the Backup Exec Server Remote Registry Access Vulnerability.

To prove my Nessus scan, I tried Metasploit against that vulnerability, and it exploited my media server successfully. After running the exploit, beserver.exe begins using 50% of the CPU and remains like that until I restart the machine or the service.

priya_khire · ‎08-23-2005

Hello,

All the patches to deal with the vulnerability have been specifically tested under different environments and have been found to be effective. Ensure that in your case, the SP 3 install was done well and the server was rebooted after that. Also check from Veritas update if the SP was installed. Alternatively check if the file versions have been changed correctly as mentioned in the TN: http://support.veritas.com/docs/278302

Do revert in case of further queries.

Note : If we do not receive your reply within two business days, this post would be marked ‘assumed answered’ and would be moved to ‘answered questions’ pool.

Regards.

Justin_Guidroz · ‎08-23-2005

Hello:

To test things, I installed Backup Exec 9.1 on a test server. After the installation, I rebooted the machine. I then ran Vertias Update which told me I had two updates that weren't installed: SP3 and Hotfix 54. I downloaded and installed SP3. I rebooted the machine and then checked for vulnerabilities that were supposed to be fixed by SP3, specifically the BackupExec Remote Registry Access Vulnerability and the BackupExec Remote Agent Security Vulnerability. The machine was still VULNERABLE to both vulnerabilities (second one expected since Hotfix 54 hadn't been applied). I then preceded to install Hotfix 54 and rebooted the machine. I then tested for vulnerabilities again. The machine was no longer vulnerable to the Remote Agent Security Vulnerability (which is expected since I installed Hotfix 54), but it was still vulnerable to the Remote Registry Access Vulnerability (which is expected since Hotfix 54 does not fix this).

I have compared all the files that were updated according to this link http://seer.support.veritas.com/docs/278302.htm and the only files that were different were the ones updated by Hotfix 54. And those files matched with what was updated by Hotfix 54.

Justin_Guidroz · ‎08-25-2005

I am still waiting for a reply/resolution to this issue.Message was edited by:
Justin Guidroz

Amruta_Bhide · ‎08-26-2005

Hello Justin,
If you say that even after applying the SP§ only the files changed in the HF 54 are changed, It is possible that the SP 3 is not installed properly.
We advice you to replly SP 3, and then check.

******************************************************************
*****************************************************************

Note : If we do not receive your reply within two business days, this post would be marked ‘assumed answered’ and would be moved to ‘answered questions’ pool.

Thanks.

Justin_Guidroz · ‎08-26-2005

I reinstalled SP3. I then checked the file dates and versions that correspond with SP3 with what was installed on my test server. Every file matched up. Just like I had done before. I then checked for the Remote Registry Access vulnerability, and it is still vulnerable.

Just to make sure nothing flaky is going on, I will completely uninstall Backup Exec and reinstall it from scratch, install SP3, check the file dates and versions, and then test once again for the Remote Registry Access vulnerability and report back.

Amruta_Purandar · ‎08-29-2005

Hello,

Have you performed the update?
- Do the versions show as expected?

Do update us on this issue.

NOTE : If we do not receive your reply within two business days, this post would be marked assumed answered and would be moved to answered questions pool.

Justin_Guidroz · ‎09-07-2005

Sorry for not getting back sooner on this, Hurricane Katrina kept me from work last week.

I finally was able to completely uninstall and reinstall Backup Exec 9.1 and SP3. After installing SP3, all files matched up with what listed at http://seer.support.veritas.com/docs/278302.htm .

The machine still tested as vulnerable.

Justin

tejashree_Bhate · ‎09-09-2005

Hello,

Please provide us with additional information on how your tool determined that this vulnerability still exist on your machines or what it was scanning for during the scan to determine that it still existed on your machines?

Thanks

NOTE : If we do not receive your reply within two business days, this post would be marked assumed answered and would be moved to answered questions pool.

Justin_Guidroz · ‎09-12-2005

I am using Metasploit from www.metasploit.com. The exact exploit is the Backupexec_registry exploit found at http://metasploit.com/projects/Framework/exploits.html#backupexec_registry

Running this exploit shows my production server and test server are vulnerable.

Justin_Guidroz · ‎09-15-2005

Have ya'll found anything at all with this issue?

Peter_Yaeger · ‎09-15-2005

. Vulnerability found on port isdninfo (6106/tcp) :

The remote host is running a version of VERITAS Backup Exec for Windows
which is vulnerable to a remote registry access. An attacker may exploit
this flaw to modify the remote registry and gain a full access to the
system.

To exploit this flaw, an attacker would need to send requests to the RPC
service listening on port 6106.

The patch for this vulnerability fix others remote flaw (buffer overflows)
that may allow an attacker to execute code on the remote host with SYSTEM
privileges.

Solution : http://seer.support.veritas.com/docs/276605.htm
Risk factor : High

It was possible to read the value of the following registry key :
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

which is :
Microsoft Windows Server 2003
CVE : CAN-2005-0771
BID : 14020

------------------------------------------------------
This file was generated by the Nessus Security Scanner

Justin_Guidroz · ‎09-16-2005

That's exactly what I'm seeing when I run a Nessus scan of my server.

Justin_Guidroz · ‎09-20-2005

Still waiting on a reply.

VOX

vulnerability and sp3