Date: Tue, 15 Apr 2003 13:41:32 -0700
From: Marcus Beaman <marcus.beaman@state.or.us>
To: bugtraq@securityfocus.com
Subject: Veritas BackupExec 9.0 may ship with upatched MS SQL Desktop Engine
I don't know if this is worth posting, but I've not seen it run across bugtraq yet, and we at the state found out the hard way:
-Marcus
<snip>
Veritas BackupExec 9.0 that recently shipped out on CD to registered owners (like us)
is vulnerable to the SQL Slammer worm.
http://seer.support.veritas.com/docs/254244.htm
For some reason, Veritas shipped the CDs with an old, unpatched version of MS
SQL Desktop Engine that is vulnerable. It took the worm less than two hours
to find the box I upgraded to BackupExec 9.0 on this morning and have it
spewing 20mb/sec onto the network (impressive for an old dual PPro 200).
If you know of anyone else running BackupExec on their servers, you may want
to warn them before they try to upgrade to the new version. BackupExec 8.x is
apparently not vulnerable unless it's also running the Network Storage
Executive.
-Greg
</snip>
