Backup software flaws pose risk
EMC has issued patches for flaws in its NetWorker product, while code that takes advantage of a known vulnerability in Veritas' NetBackup has been publicly released.
Customers were warned Monday that there are three bugs in NetWorker. One may result in a system crash, which would lead to a denial of service. The other two could assist an unauthorized user to commandeer the computer running the vulnerable backup and data recovery software, the company said in a security alert.
EMC has a fix out for NetWorker 7.2.1. Other versions, specifically NetWorker 7.1.4 and 7.3, are not at risk because the necessary code changes have already been made, the company said. To date, there are no reported attacks that exploit the flaws, EMC noted. The three vulnerabilities were outlined by security company iDefense on Tuesday.
By contrast, companies that use Veritas NetBackup are more likely to face attacks. Earlier this week, computer code that takes advantage of a known vulnerability in the software was publicly posted on the Internet by the French Security Incident Response Team, a security intelligence provider.
"Immediately after the FrSIRT public release of the exploit against Veritas NetBackup, scanning for TCP/13701 started to increase dramatically," the SANS Internet Storm Center, which tracks network threats, said Wednesday. (TCP/13701 is the port used by the malicious code in its attack.)
The NetBackup vulnerability was disclosed in November, also by iDefense. A buffer overflow vulnerability exists in a shared component of the backup product. A successful attack could cause the vulnerable software to crash or give an outsider control over the system, according to a Symantec alert. Symantec acquired Veritas Software last year.
Patches for NetBackup are available. The affected software are versions 5.0.0 and 5.1.0 of the NetBackup Client, NetBackup Enterprise Server and NetBackup Server, according to Symantec.
Data backup tools have become easy targets for attackers, the SANS Institute said last year in a security update. Serious security vulnerabilities have been disclosed in products from several vendors, including Computer Associates and Veritas.