VRT Advisories

VRT Rules 2005-06-30

Sourcefire VRT Certified Rules Update

Date: 2005-06-30


The Sourcefire Vulnerability Research Team (VRT) has learned of multiple serious vulnerabilities affecting Veritas Backup Exec Server and Agent Software.


US-CERT Vulnerability Note VU#352625 A vulnerability exists in the Veritas Backup Server handles DCERPC requests that attempt to alter registry values, enabling an attacker to modify the registry. The Backup Server accepts anonymous client requests, but fails to assign the appropriate privileges. This allows an attacker to perform privileged tasks on the server. One such task is altering registry values.

US-CERT Vulnerability Note VU#492105, CAN-2005-0773 A vulnerability exists in Veritas Backup Agent authentication software. This software uses Network Data Management Protocol (NDMP) to communicate between clients and servers. Authentication is required to successfully connect. Errors in processing the authentication credentials can give an attacker the opportunity to overflow a fixed length buffer which may lead to the execution of code of the attackers choosing on the affected host.

US-CERT Vulnerability Note VU#584505, CAN-2005-0771 The Veritas Backup Agent Exec provides backup software. Certain communications are done via the Network Data Management Protocol (NDMP). The agent does not properly handle malformed NDMP protocol requests. Exploitation of this issue is simple and can lead to a Denial of Service (DoS) for the agent.

Rules to detect attacks against these vulnerabilities are included in this rule pack and are identified as sids 3695 through 3812.

References: US-CERT Technical Cyber Security Alert TA05-180A http://www.us-cert.gov/cas/techalerts/TA05-180A.html

VERITAS Security Advisory for Backup Exec for Windows Servers and Backup Exec for NetWare Servers http://seer.support.veritas.com/docs/277428.htm

Rule Pack Summary:

For a complete list of new and modified rules, click here.


Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.