[<prev] [next>] [day] [month] [year] [list]
Message-ID: <649CDCB56C88AA458EFF2CBF494B620402653374@USILMS12.ca.com>
Date: Thu, 15 Mar 2007 20:31:44 -0400
From: "Williams, James K" <James.Williams@...com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: [CAID 34817, 35058, 35158,
35159]: CA BrightStor ARCserve Backup Tape Engine and Portmapper
Vulnerabilities
Title: [CAID 34817, 35058, 35158, 35159]: CA BrightStor ARCserve
Backup Tape Engine and Portmapper Vulnerabilities
CA Vuln ID (CAID): 34817, 35058, 35158, 35159
CA Advisory Date: 2007-03-15
Reported By: McAfee
Impact: Remote attackers can cause a denial of service or
potentially execute arbitrary code.
Summary: CA BrightStor ARCserve Backup contains four
vulnerabilities that can allow a remote attacker to cause a denial
of service or possibly execute arbitrary code. CA has issued
patches to address the vulnerabilities. The first vulnerability,
CVE-2006-6076, is due to insufficient bounds checking in the Tape
Engine, which can result in a buffer overflow and arbitrary code
execution. The second vulnerability, CVE-2007-0816, is related to
how invalid parameters are handled by the portmapper (catirpc.dll)
service. By sending a specially crafted request, a remote attacker
can crash the service. The third vulnerability, CVE-2007-1447, is
due to a memory corruption issue that occurs during processing of
RPC procedure arguments by the Tape Engine. The vulnerability can
result in a denial of service, and can potentially be exploited to
execute arbitrary code. The fourth vulnerability, CVE-2007-1448,
is due to the presence of an RPC function that, when called, will
disable the Tape Engine interface. A remote attacker can make a
request that will effectively shut down Tape Engine functionality.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a High risk rating.
Affected Products:
BrightStor Products:
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup for Windows r11
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Backup v9.01
CA Protection Suites r2:
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business
Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business
Server Premium Edition r2
Affected Platforms:
Windows
Status and Recommendation:
Customers using vulnerable versions of BrightStor ARCserve Backup
should upgrade with the latest patches, which are available for
download from http://supportconnect.ca.com.
BrightStor ARCserve Backup r11.5 - QO86255
BrightStor ARCserve Backup r11.1 - QO86258
BrightStor ARCserve Backup r11.0 - QI82917
BrightStor Enterprise Backup r10.5 - QO86259
BrightStor ARCserve Backup v9.01 - QO86260
How to determine if the installation is affected:
1. Using Windows Explorer, locate the files "tapeng.dll" and
"catirpc.dll". By default, the files are located in the
"C:\Program Files\CA\BrightStor ARCserve Backup" directory.
2. Right click on each of the files and select Properties.
3. Select the General tab.
4. If either file timestamp is earlier than what is indicated in
the table below, the installation is vulnerable.
File Name Timestamp File Size
catirpc.dll 02/12/2007 10:55:14 102400 bytes
tapeeng.dll 02/02/2007 17:05:00 876627 bytes
Workaround:
To reduce exposure, block unauthorized access to ports 6502 (TCP)
and 111 (UDP).
References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for this vulnerability:
Security Notice for BrightStor ARCserve Backup Tape Engine and
Portmapper
http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp
Solution Document Reference APARs:
QO86255, QO86258, QI82917, QO86259, QO86260
CA Security Advisor posting:
CA BrightStor ARCserve Backup Tape Engine and Portmapper
Vulnerabilities
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317
CAID: 34817, 35058, 35158, 35159
CAID Advisory links:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34817
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35058
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35158
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35159
Reported By: McAfee
McAfee advisory:
http://www.mcafee.com/us/threat_center/security_advisories.html
CVE References: CVE-2006-6076, CVE-2007-0816, CVE-2007-1447,
CVE-2007-1448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0816
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1448
OSVDB Reference: OSVDB-32989, OSVDB-32990, OSVDB-32991,
OSVDB-30637
http://osvdb.org/32989
http://osvdb.org/32990
http://osvdb.org/32991
http://osvdb.org/30637
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory, please
send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability"
form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, One CA Plaza, Islandia, NY 11749
Contact http://www3.ca.com/contact/
Legal Notice http://www3.ca.com/legal/
Privacy Policy http://www3.ca.com/privacy/
Copyright (c) 2007 CA. All rights reserved.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists