[ISN] Symantec pulls Backup Exec patches

InfoSec News isn at c4i.org
Thu Mar 23 04:48:23 EST 2006


By Matthew Broersma
22 March 2006

Companies using Symantec's Veritas Backup Exec are facing a dilemma
after Symantec warned of security flaws in the software, but pulled
some of the patches due to quality issues.

Symantec warned that flaws in the Backup Exec Remote Agent could allow
attackers to cause memory access violations or use up all system
resources, causing the system to crash and lose backup capability.

While only moderately serious in itself, the bug could be a big
problem due to the way Backup Exec is typically used, according to the
SANS Institute's Internet Storm Center (ISC). "Considering that this
is typically used for backups of critical data, the severity could be
pretty high," wrote handler Bojan Zdrnja on the ISC website. "It's
easy to imagine a scenario when you need business critical data that
was supposed to be backed up yesterday, but it wasn't due to the
Backup Exec crashing."

Affected versions include Backup Exec 10.x and 9.x and Backup Exec
Remote Agent 10.x and 9.x for Windows Servers (RAWS).

Ordinarily, companies could solve the problem just by applying
Symantec's patch. In this case, though, there are two problems: one is
that some users have experienced problems with some of the patches,
according to the ISC. The other is that some of the patches are no
longer available, having been withdrawn by Symantec.

The company withdrew two RAWS patches, affecting different versions of
Remote Agent for Windows Servers, and said in an advisory that they
would be re-released "shortly". Patches for Remote Agent for Linux and
Unix Servers (RALUS) are all available.

Symantec also warned of a low-risk bug in the Job Engine service,
which can only be exploited under particular conditions.

More information about the ISN mailing list