Wow, this is hard to stomach. CERT is reporting TA05-224A: “VERITAS BackupExec Uses Hard-Coded Authentication Credentials”. It’s astonishing that any company could be so stupid as to ship a product that still uses hard-coded credentials; it’s a wonder that it’s taken this long for an exploit to start circulating. (Note that this is different than the vuln-o-rama announced last month.)
According to Symantec’s page on the vuln, only BE versions 8.0, 8.5, and 8.6 have the flaw. I’d bet that’s a significant portion of the installed base, so a) I hope they’re protected and b) I sure would feel more comfortable if the page also said “hey, don’t worry, we fixed the problem in BE 9”. My concern is that BE 9.x and 10.x have the same, or similar, problem but that attackers haven’t found the creds yet.
Update: Symantec updated the vuln page last night with this additional page. Turns out that BE 9.0, 9.1, and 10.0 are vulnerable too. Sheesh. Making things worse, to fix the remote agent you have to uninstall the remote agent, reboot, install the new version of the agent, and reboot again. There’s no hotfix.