Date: Wed, 21 Mar 2012 20:34:12 +0000
From: "Kotas, Kevin J" <Kevin.Kotas@...com>
To: "'bugtraq@...urityfocus.com' \(bugtraq@...urityfocus.com\)" <bugtraq@...urityfocus.com>
Subject: CA20120320-01: Security Notice for CA ARCserve Backup

-----BEGIN PGP SIGNED MESSAGE-----

CA20120320-01: Security Notice for CA ARCserve Backup

Issued: March 20, 2012

CA Technologies Support is alerting customers to a potential risk
with CA ARCserve Backup for Windows. A vulnerability exists that can
allow a remote attacker to cause a denial of service condition. CA
Technologies has issued fixes to address the vulnerability.

The vulnerability, CVE-2012-1662, occurs due to insufficient
validation of certain network requests. An attacker can potentially
use the vulnerability to disable network services.

Risk Rating

Medium

Platform

Windows

Affected Products

CA ARCserve Backup for Windows r12.0, r12.0 SP1, r12.0 SP2
CA ARCserve Backup for Windows r12.5, r12.5 SP1
CA ARCserve Backup for Windows r15, r15 SP1
CA ARCserve Backup for Windows r16

Non-Affected Products

CA ARCserve Backup for Windows r12.5 SP2
CA ARCserve Backup for Windows r16 SP1

How to determine if the installation is affected

CA ARCserve Backup for Windows r12.5:

Run the ARCserve Backup Manager. From the Windows Start menu, the
program can be found under Programs->CA->ARCserve Backup->Manager.
Click Help->About CA ARCserve Backup. This screen will indicate the
service pack level. If the displayed service pack level is prior to
SP2, the installation is vulnerable.

CA ARCserve Backup for Windows r15:

1. Run the ARCserve Patch Management utility. From the Windows
Start menu, the program can be found under Programs->CA->ARCserve
Patch Management->Patch Status.

2. The main patch status screen will indicate if the patch in the
below table is applied. If the patch is not applied, then the
installation is vulnerable.

Product
Patch

CA ARCserve Backup for Windows r15:
RO42050

For more information on the ARCserve Patch Management utility,
read document TEC446265.

CA ARCserve Backup for Windows r16.0:

Run the ARCserve Backup Manager. From the Windows Start menu, the
program can be found under Programs->CA->ARCserve Backup->Manager.
Click Help->About CA ARCserve Backup. This screen will indicate the
service pack level. If the displayed service pack level is prior to
SP1, the installation is vulnerable.

Solution

CA ARCserve Backup for Windows r12.0:
Update to CA ARCserve Backup for Windows r16 SP1.

CA ARCserve Backup for Windows r12.5:
Update to r12.5 service pack 2 with RO35881.

CA ARCserve Backup for Windows r15:
Install RO42050.

CA ARCserve Backup for Windows r16:
Update to r16 service pack 1 with RO35289.

References

CVE-2012-1662 - ARCserve Backup denial of service

CA20120320-01: Security Notice for CA ARCserve Backup
(url line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7
b983E3A52-8374-410A-82BD-B8788733C70F%7d

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at http://support.ca.com/

If you discover a vulnerability in CA Technologies products,
please report your findings to the CA Technologies Product
Vulnerability Response Team:
(url line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17
7782

Regards,

Kevin Kotas
CA Technologies Product Vulnerability Response Team

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBT2o60ZI1FvIeMomJAQFS2QgAqLVN1RfJSdRiDC0XsR7nBhuESrufQjub
o5S3XSJVvdDaZ8RxR14hA7hrzFukUhviZp0QuJ0U1+xcuzntvYWmKfKbrQDAISC2
CTU1NkN3/RLOaswOQKO08g9gr30zglhp0jztOYp9jv/s8V+ULF1Q7uymrnvGDzK4
9dlk8VHaXKbmgRX6L9GSr1IhX+0KzUJ8dqo+7PsLCrhcSnlmRQyOFSYU3SJcqyqM
nyky1lmdD/3Gc41Ee10/yHXR9F/yZKPlZpI2R12+9K3a8s1+je/Jtruoqw7D1aUb
ofNz5PiQBrGc+U+zIuAEiCekUONNrZ9palWZs2EiIZbtvxmhz9CKww==
=3zDm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists