| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Oct 2008 15:50:48 -0400 (EDT) From: VR-Subscription-noreply@...urent.com To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com Subject: Assurent VR - CA ARCserve Backup Tape Engine Denial of Service CA ARCserve Backup Tape Engine Denial of Service Assurent ID: FSC20081009-11 1. Affected Software CA ARCserve Backup 11.1 Windows CA ARCserve Backup 11.5 Windows CA ARCserve Backup 12.0 Windows Reference: http://www.ca.com/us/data-loss-prevention.aspx 2. Vulnerability Summary A vulnerability has been discovered in the Tape Engine component of CA ARCserve Backup. Insufficient input validation when processing remote procedure call (RPC) requests is the cause of this vulnerability. 3. Vulnerability Analysis A remote unauthenticated attacker can exploit this vulnerability by sending a crafted message to the target server on TCP port 6502. A successful attack could cause a denial of service condition for the Tape Engine and Media Server services. 4. Vulnerability Detection Assurent has confirmed the vulnerability in: CA ARCserve Backup 11.1 Windows CA ARCserve Backup 11.5 Windows CA ARCserve Backup 12.0 Windows 5. Workaround Apply the vendor patch or block communication from untrusted networks to TCP port 6502. 6. Vendor Response CA has released a bulletin addressing this vulnerability. Reference: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143 7. Disclosure Timeline 2008-05-12 Reported to vendor 2008-05-14 Initial vendor response 2008-10-09 Coordinated public disclosure 8. Credits Vulnerability Research Team, Assurent Secure Technologies, a TELUS company 9. References CVE: CVE-2008-4398 Vendor: 188143 10. About Assurent VRS Assurent's Vulnerability Research Service (VRS) for security product vendors, and Threat Protection Programs (TPP) for MSPs and enterprise security teams, help to eliminate the significant costs incurred by security product vendors, MSPs, and enterprise security teams in responding to and managing critical new security vulnerabilities and other threats including worm & virus outbreaks and other malware. The VRS and TPP services are real-time feeds providing subscribers with detailed analysis of the top security vulnerabilities, focused on the specific needs of each group of customers. http://www.assurent.com/index.php?id=17 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists