Backup software flaws pose risk

EMC warns of bugs in NetWorker, while code that takes advantage of a flaw in Veritas' NetBackup product has been released on the Net.

Two makers of backup software are dealing with security holes that could let an outsider hijack customers' systems.

EMC has issued patches for flaws in its NetWorker product, while code that takes advantage of a known vulnerability in Veritas' NetBackup has been publicly released.

Customers were warned Monday that there are three bugs in NetWorker. One may result in a system crash, which would lead to a denial of service. The other two could assist an unauthorized user to commandeer the computer running the vulnerable backup and data recovery software, the company said in a security alert.

EMC has a fix out for NetWorker 7.2.1. Other versions, specifically NetWorker 7.1.4 and 7.3, are not at risk because the necessary code changes have already been made, the company said. To date, there are no reported attacks that exploit the flaws, EMC noted. The three vulnerabilities were outlined by security company iDefense on Tuesday.

By contrast, companies that use Veritas NetBackup are more likely to face attacks. Earlier this week, computer code that takes advantage of a known vulnerability in the software was publicly posted on the Internet by the French Security Incident Response Team, a security intelligence provider.

"Immediately after the FrSIRT public release of the exploit against Veritas NetBackup, scanning for TCP/13701 started to increase dramatically," the SANS Internet Storm Center, which tracks network threats, said Wednesday. (TCP/13701 is the port used by the malicious code in its attack.)

The NetBackup vulnerability was disclosed in November, also by iDefense. A buffer overflow vulnerability exists in a shared component of the backup product. A successful attack could cause the vulnerable software to crash or give an outsider control over the system, according to a Symantec alert. Symantec acquired Veritas Software last year.

Patches for NetBackup are available. The affected software are versions 5.0.0 and 5.1.0 of the NetBackup Client, NetBackup Enterprise Server and NetBackup Server, according to Symantec.

Data backup tools have become easy targets for attackers, the SANS Institute said last year in a security update. Serious security vulnerabilities have been disclosed in products from several vendors, including Computer Associates and Veritas.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Microsoft enters the laptop game with the hybrid Surface Book

This powerful 13.5-inch laptop include Nvidia graphics and a new hybrid hinge.

by Dan Ackman