SYM07-029 Symantec BEWS Multiple DoS in Job Engine
Symantec Security Advisory
SYM07-029
http://www.symantec.com/avcenter/security/Content/2007.11.27.html
27 Nov 2007=20
Symantec Backup Exec for Windows Server: Multiple Denial of Service =
Issues in Job Engine
Revision History
None=20
Severity
Medium
Remote Access
Yes
Local Access =20
NoAuthentication Required
Authorized network access normally requiredExploit publicly available =
No
Overview
Symantec Backup Exec for Windows Servers (BEWS) may be susceptible to =
multiple denial of service=20
attacks (DoS) if maliciously formatted packets are passed to the BEWS =
Job Engine. =20
Affected Products=20
Product
Version
Build =20
SolutionSymantec Backup Exec for Windows Servers
11d
11.0.6235 =20
Hotfix Available
Symantec Backup Exec for Windows Servers =20
11d
11.0.7170
Hotfix Available
NOTE: ONLY the products and versions listed as affected above are =
vulnerable to these issues. This issue impacts the=20
server only. Client agents are NOT affected.
Details
Secunia Research notified Symantec of three DoS issues involving =
erroneous packet handling affecting components of the=20
Symantec Backup Exec for Windows Servers Job Engine. One is a =
null-pointer dereference issue that crashes the listening=20
service, and two additional issues involving integer overflows that can =
force the service into an infinite loop resulting in=20
memory exhaustion or high CPU utilization. Successful exploitation =
requires access to the affected port. In normal installations=20
this would require the attacker to have authorized but non-privileged =
access to the network on which the targeted server resides=20
to leverage network communications. A successful attack could result in =
termination of the targeted service and loss of scheduling=20
services or potentially loss of access to the application until the =
service is restarted or the targeted activity ceases.=20
Symantec Response
Symantec engineers have addressed this issue in all affected builds of =
the identified product. Security updates are available for=20
all affected product builds.=20
Symantec strongly recommends all customers apply the latest security =
update as indicated for their supported product=20
versions to protect against threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from =
these issues.
The patch listed above for affected products is available from the =
following location:
Build 6235: http://support.veritas.com/docs/294241
Build 7170: http://support.veritas.com/docs/294237
Best Practices
As part of normal best practices, Symantec recommends:=20
* Restrict access to administration or management systems to authorized =
privileged users
* Block remote access to all ports not essential for efficient operation
* Restrict remote access, if required, to trusted/authorized systems =
only
* Remove/disable unnecessary accounts or restrict access according to =
security policy as required=20
* Run under the principle of least privilege where possible
* Keep all operating systems and applications updated with the latest =
vendor patches=20
* Follow a multi-layered approach to security. Run both firewall and =
antivirus applications, at a minimum, to=20
provide multiple points of detection and protection to both inbound and =
outbound threats=20
* Deploy network intrusion detection systems to monitor network traffic =
for signs of anomalous or suspicious=20
activity. This may aid in detection of attacks or malicious activity =
related to exploitation of latest vulnerabilities
Credit:
Symantec would like to thank JJ Reyes with Secunia Research for =
reporting these findings and coordinating closely with=20
Symantec as we resolved the issues.
References
The Common Vulnerabilities and Exposures (CVE) initiative has assigned:
CVE-2007-4346 to the null pointer dereference DoS issue
CVE-2007-4347 to the integer overflow DoS issues
These issues are candidates for inclusion in the CVE list =
(http://cve.mitre.org), which standardizes names for security issues.=20
SecurityFocus has assigned Bugtraq ID BID 26028 for the null pointer =
issue and BID 26029 for the integer overflow issues=20
for inclusion in the SecurityFocus vulnerability database.=20
Symantec strongly recommends using encrypted email for reporting =
vulnerability information to secure@symantec.com.=20
The Symantec Product Security PGP key can be obtained from =
http://www.symantec.com/security.=20
----------------------------------------
Symantec Product Security/Vulnerability Management Team
Symantec takes the security of our products seriously as a responsible
disclosure company. You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a =
security
issue in a Symantec product to validate the problem and coordinate any=20
response deemed necessary.=20
=20
Please contact secure@symantec.com concerning security issues with =
Symantec
products.
=20
=20