Multiple vulnerabilities have been reported in VERITAS Backup Exec for Windows and NetWare, which can be exploited by malicious users to gain escalated privileges, or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) A NULL pointer dereference errors in Remote Agent when handling request packets can be exploited to crash the application via a request packet containing an invalid "Error Status" value.

2) A NULL pointer dereference errors in Remote Agent when handling request packets can be exploited to crash the application via a specially crafted request packet.

3) A boundary error in Remote Agent when processing authentication requests can be exploited to cause a stack-based buffer overflow via a CONNECT_CLIENT_AUTH request containing an overly long string as password in the Windows user credentials.

Successful exploitation allows execution of arbitrary code.

4) An access control error in an RPC endpoint can be exploited to gain "Administrator" privileges over a vulnerable system's registry by connecting to the endpoint.

The vulnerability only affects the Windows version.

5) An unspecified boundary error in the Web Administration Console when processing user credentials can be exploited to cause a buffer overflow.

Successful exploitation allows execution of arbitrary code, but only affects the Windows version.

6) An unspecified boundary error in the Admin Plus Pack Option can be exploited to cause a heap-based buffer overflow.

Successful exploitation allows execution of arbitrary code, but only affects the Windows version.

7) An error can be exploited by unprivileged users to gain SYSTEM privileges by copying the handle used by the Backup Exec Remote Agent.

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
1) Discovered by anonymous person and reported via iDEFENSE.
2) Sebastian Apelt
3) Discovered by anonymous person and reported via iDEFENSE.
4) Pedram Amini, iDEFENSE Labs.
5) Mark Litchfield, NGSSoftware.
6) Mark Litchfield, NGSSoftware.
7) Reported by vendor.

Changelog
Further details available in Customer Area

Original Advisory
VERITAS:
http://seer.support.veritas.com/docs/277428.htm

iDEFENSE:
http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=270&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=271&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area