Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Symantec Backup Exec Flaw Could Invite Data Theft

Symantec on Friday published details of a vulnerability in its Backup Exec storage solution that could enable a remote attacker to gain full control over a machine and access confidential data stored on corporate networks.

Symantec confirmed that the issue affects versions 9.1 and 9.2 of Symantec Backup Exec for NetWare Servers with Remote Agent for Windows Servers.

Cupertino, Calif.-based Symantec has released fixes for the NetWare issues and is looking into reports that the flaw also affects Backup Exec for Windows Servers, Backup Exec Continuous Protection Server (CPS) Remote Agent and other Backup Exec Remote Agents, according to a DeepSight Threat Management system bulletin.

The vulnerability affects the remote procedure call (RPC) interfaces of Backup Exec and could enable a remote attacker to send malicious code to the application and potentially gain complete control over the targeted machine. Even if the efforts were unsuccessful, the calls could result in a denial-of-service attack on the targeted system, Symantec said.

The RPC protocol, which allows an application running on one PC to execute a subroutine on another computer, was used by the 2003 Blaster worm to shut down Windows PCs without any user interaction.

  • 1