Design error leads to security vulnerability that could put corporate networks at risk of attack.
By exploiting the flaw, an attacker could get remote access and download arbitrary files, the software maker said in an advisory released on Friday. Symantec last month closed its acquisition of Veritas.
The flaw is due to a design error, the French Security Incident Response Team said in an alert. A component of the software can be accessed via a static password, according to FrSIRT, which rates the issue as "critical." An exploit for the flaw is available on the Internet, and that could aid attackers.
Affected are the backup servers for Veritas Backup Exec, media servers running the Veritas NetWare Media Server Option, and the system running the remote agents for Windows, Unix and Linux servers, Symantec said. The Remote Agent is used to trigger backup of data.
Symantec urges users of the affected products to apply the available fixes. As a temporary work-around, the vendor advises blocking external access to TCP port 10000, which is used by the flawed component.
This is the second serious security issue that has affected Veritas products in recent months. Data backup tools have become easy targets for attackers, the SANS Institute said in its most recent quarterly security update. Serious security vulnerabilities have also been disclosed in products from Computer Associates.