The National Cyber Alert System warned yesterday of active exploits of a security flaw in Veritas Backup Exec Software. The system is part of the U.S. Homeland Security’s Computer Emergency Readiness Team (U.S.-CERT). The alert said a buffer overflow could allow hackers to take over a computer and remotely execute malicious code.
“The vulnerability discovered in the Veritas remote agent is a significant one, as it allows an attacker to remotely execute code on a target machine running the backup agent,” Ed Moyle, president, SecurityCurve, told TechNewsWorld. “One mitigating factor is that Veritas is enterprise software and most corporate firewalls block port 10000 (the port used by the backup agent) from outside their network, which helps to prevent attacks from impacting corporate entities.”
Flaw Found in March
The flaw in the software, used to trigger back ups of data files on Windows servers in case of computer crashes or other problems, was first discovered in March by security firm iDefense.
Veritas has issued patches for the vulnerability, which the company and iDefense announced last week.
U.S.-CERT said in the warning that the exploit code is publicly available and that it has seen a spike in attack attempts, a situation Moyle said was to be expected.
“In most cases, once a vulnerability is published, exploit code, software that attacks the vulnerability, is published as well,” he said. Once exploit code does become available, the frequency of active attack spikes for a period of time after the publication, as it is very easy for attackers to gain access to the exploit and use it to break into machines.”
Delay in Installing Patches
The patches will take care of the problem, but they are not always promptly installed.
“It is extremely difficult for enterprises to keep ahead of a vulnerability like this, particularly when the timeframe to deploy the patch is so small as it was with this vulnerability,” Moyle said.
“In this case, the patch for this flaw became available on the 22nd and exploit code was available on the 24th. Most IT departments understand the need to install patches quickly, but I think that in this case, the small window of time between when the patch was released and when exploit code was available made this incident a particularly difficult one for enterprises to address.”