Executive Summary

Title Symantec Backup Exec contains heap overflow in RPC interface
Name VU#213697 First vendor Publication 2007-07-11
Vendor VU-CERT Last vendor Modification 2007-07-11
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#213697

Symantec Backup Exec contains heap overflow in RPC interface


Symantec Backup Exec for Windows Servers contains a vulnerability that may allow a remote attacker to cause a denial of service or potentially execute arbitrary code on an affected system.

I. Description

Symantec Backup Exec for Windows Servers is a client/server based backup software solution. A heap buffer overflow vulnerability exists in the way one of the Remote Procedure Call (RPC) interfaces provided by this software handles requests using the ncacn_ip_tcp protocol. A remote attacker with the ability to connect to the affected service and supply a specially crafted packet could exploit this vulnerability.

II. Impact

A remote unauthenticated attacker may be able to cause the affected service to crash, resulting in a denial of service. Symantec reports that the attacker may also potentially be able to execute arbitrary code on the affected system.

III. Solution

Apply an update from the vendor

Symantec has published Symantec Security Advisory SYM07-015 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the affected component (6106/tcp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

Systems Affected

VendorStatusDate Updated
Symantec, Inc.Vulnerable11-Jul-2007




iDefense reported this vulnerability in iDefense PUBLIC ADVISORY: 07.11.07. They credit an anonymous researcher with reporting this vulnerability to them.

This document was written by Chad R Dougherty based on information supplied by Symantec and iDefense.

Other Information

Date Public07/11/2007
Date First Published07/11/2007 03:04:26 PM
Date Last Updated07/11/2007
CERT Advisory 
CVE NameCVE-2007-3509
Document Revision4

Original Source

Url : http://www.kb.cert.org/vuls/id/213697

CPE : Common Platform Enumeration

Application 3

Open Source Vulnerability Database (OSVDB)

Id Description
36111 Symantec Backup Exec for Windows RPC Crafted ncacn_ip_tcp Request Remote Over...

A remote overflow exists in Backup Exec for Windows. The RPC server fails to properly verify boundaries resulting in a heap-based overflow. With a specially crafted request, an attacker can cause a denial of service and a possibility for arbitrary code execution resulting in a loss of availability.

Nessus® Vulnerability Scanner

Date Description
2007-07-16 Name : Arbitrary code can be executed on the remote host.
File : symantec_backup_exec_rpc_heap_overflows2.nasl - Type : ACT_GATHER_INFO