C7.1 Description

Backup software is a valuable asset for any organization. The software typically runs on a large number of systems in an enterprise. In recent years with the growth in data size, the trend has been to consolidate the backup function into few servers, or even a single server. The hosts requiring the backup service communicate with the backup server over the network. This may be a push where the client sends data to the server or a pull where the server connects to each client in turn, or a combination of both. During the last year a number of critical backup software vulnerabilities have been discovered. These vulnerabilities can be exploited to completely compromise systems running backup servers and/or backup clients. An attacker can leverage these flaws for an enterprise-wide compromise and obtain access to the sensitive backed-up data. Exploits have been publicly posted for some of these flaws, and these vulnerabilities are getting exploited in the wild.

C7.2 Operating Systems and Backup Software Affected

All operating systems running backup server or client software are potentially vulnerable to exploitation. The affected operating systems are mainly Windows and UNIX systems.

The following popular backup software packages are known to be affected by vulnerabilities

• Symantec Veritas NetBackup/Backup Exec


• Computer Associates BrightStor ARCServe


• EMC Legato Networker

C7.3 CVE Entries
CVE-2005-3116, CAN-2005-3659, CAN-2005-3658, CVE-2006-0989, CVE-2006-0990, CVE-2006-0991, CVE-2006-5142, CVE-2006-5143

C7.4 How to Determine If You Are Vulnerable

• Use any Vulnerability Scanner to detect vulnerable backup software installations.



• If you are using aforementioned backup software, it is recommended to update to the latest version. Monitor your backup software vendor site and subscribe to the patch notification system if they have one, and some of general security related sites such as US-CERT , CERT, SANS (Internet Storm Center) for new vulnerability announcements relating to your chosen backup software.



• The typical ports used by backup software:
  
  
  
  • Symantec Veritas Backup Exec
    
    - TCP/10000 TCP/8099, TCP/6106, TCP/13701, TCP/13721 and TCP/13724 (A listing of ports used by Veritas backup daemons is available here
  
  
  
  • CA BrightStor ARCServe Backup Agent
    
    - TCP/6050, UDP/6051, TCP/6070, TCP/6503, TCP/41523, UDP/41524
  
  
  
  • Sun and EMC Legato Networker
    
    - TCP/7937-9936