CVE-2005-0772 in Backup Exec
Summary
by MITRE
VERITAS Backup Exec 9.0 through 10.0 for Windows Servers, and 9.0.4019 through 9.1.307 for Netware, allows remote attackers to cause a denial of service (Remote Agent crash) via (1) a crafted packet in NDMLSRVR.DLL or (2) a request packet with an invalid (non-0) "Error Status" value, which triggers a null dereference.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/08/2019
The vulnerability identified as CVE-2005-0772 represents a critical remote denial of service flaw affecting VERITAS Backup Exec software across multiple versions. This vulnerability specifically targets the Windows Server and Netware implementations of the backup solution, creating a significant operational risk for organizations relying on these systems for data protection. The flaw manifests in the NDMLSRVR.DLL component which handles network communication for backup operations, making it a prime target for remote exploitation by malicious actors seeking to disrupt critical backup services.
The technical exploitation of this vulnerability occurs through two distinct attack vectors that leverage buffer overflow conditions in the network protocol handling mechanisms. The first vector involves sending a crafted packet to the NDMLSRVR.DLL module, while the second vector exploits a malformed request packet containing an invalid non-zero "Error Status" value. Both attack methods result in a null pointer dereference condition within the application's memory management, causing the Remote Agent process to crash and terminate unexpectedly. This null dereference vulnerability is classified as a CWE-476, specifically a NULL Pointer Dereference, which represents a fundamental memory safety issue in software development practices.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire backup infrastructure operations. When the Remote Agent crashes, it prevents legitimate backup and restore operations from completing successfully, potentially leaving critical data unprotected or making recovery operations impossible during actual disaster scenarios. Organizations using affected versions of VERITAS Backup Exec may experience extended downtime while system administrators work to restore service, and the vulnerability could be exploited repeatedly to maintain persistent service disruption. The attack requires minimal privileges and can be executed remotely, making it particularly dangerous for network-connected backup servers that are often exposed to external network traffic.
Security professionals should consider this vulnerability in the context of the MITRE ATT&CK framework, specifically under the T1499 technique for Network Denial of Service, and T1071 for Application Layer Protocol usage. The vulnerability affects the availability aspect of the CIA triad, directly impacting system reliability and business continuity operations. Organizations should implement immediate mitigations including network segmentation to isolate backup servers from untrusted networks, applying vendor security patches when available, and implementing intrusion detection systems to monitor for suspicious packet patterns targeting the affected NDMLSRVR.DLL component. Additionally, regular monitoring of backup system logs for agent crash events and implementing automated alerting mechanisms can help detect exploitation attempts and maintain operational awareness of potential compromise. The vulnerability highlights the importance of proper input validation and memory management in enterprise backup solutions, emphasizing the need for robust software security practices throughout the development lifecycle to prevent such critical flaws from reaching production environments.