January 18, 2006 5:46 PM PST

Backup software flaws pose risk

Two makers of backup software are dealing with security holes that could let an outsider hijack customers' systems.

EMC has issued patches for flaws in its NetWorker product, while code that takes advantage of a known vulnerability in Veritas' NetBackup has been publicly released.

Customers were warned Monday that there are three bugs in NetWorker. One may result in a system crash, which would lead to a denial of service. The other two could assist an unauthorized user to commandeer the computer running the vulnerable backup and data recovery software, the company said in a security alert.

EMC has a fix out for NetWorker 7.2.1. Other versions, specifically NetWorker 7.1.4 and 7.3, are not at risk because the necessary code changes have already been made, the company said. To date, there are no reported attacks that exploit the flaws, EMC noted. The three vulnerabilities were outlined by security company iDefense on Tuesday.

By contrast, companies that use Veritas NetBackup are more likely to face attacks. Earlier this week, computer code that takes advantage of a known vulnerability in the software was publicly posted on the Internet by the French Security Incident Response Team, a security intelligence provider.

"Immediately after the FrSIRT public release of the exploit against Veritas NetBackup, scanning for TCP/13701 started to increase dramatically," the SANS Internet Storm Center, which tracks network threats, said Wednesday. (TCP/13701 is the port used by the malicious code in its attack.)

The NetBackup vulnerability was disclosed in November, also by iDefense. A buffer overflow vulnerability exists in a shared component of the backup product. A successful attack could cause the vulnerable software to crash or give an outsider control over the system, according to a Symantec alert. Symantec acquired Veritas Software last year.

Patches for NetBackup are available. The affected software are versions 5.0.0 and 5.1.0 of the NetBackup Client, NetBackup Enterprise Server and NetBackup Server, according to Symantec.

Data backup tools have become easy targets for attackers, the SANS Institute said last year in a security update. Serious security vulnerabilities have been disclosed in products from several vendors, including Computer Associates and Veritas.

1 comment

Join the conversation!
Add your comment
in the san?
in the san?
Posted by freq (121 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.