<<< Date Index >>>     <<< Thread Index >>>

[CAID 34817, 35058, 35158, 35159]: CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilities



Title: [CAID 34817, 35058, 35158, 35159]: CA BrightStor ARCserve 
Backup Tape Engine and Portmapper Vulnerabilities

CA Vuln ID (CAID): 34817, 35058, 35158, 35159

CA Advisory Date: 2007-03-15

Reported By: McAfee

Impact: Remote attackers can cause a denial of service or 
potentially execute arbitrary code.

Summary: CA BrightStor ARCserve Backup contains four 
vulnerabilities that can allow a remote attacker to cause a denial 
of service or possibly execute arbitrary code. CA has issued 
patches to address the vulnerabilities. The first vulnerability, 
CVE-2006-6076, is due to insufficient bounds checking in the Tape 
Engine, which can result in a buffer overflow and arbitrary code 
execution. The second vulnerability, CVE-2007-0816, is related to 
how invalid parameters are handled by the portmapper (catirpc.dll) 
service. By sending a specially crafted request, a remote attacker 
can crash the service. The third vulnerability, CVE-2007-1447, is 
due to a memory corruption issue that occurs during processing of 
RPC procedure arguments by the Tape Engine. The vulnerability can 
result in a denial of service, and can potentially be exploited to 
execute arbitrary code. The fourth vulnerability, CVE-2007-1448, 
is due to the presence of an RPC function that, when called, will 
disable the Tape Engine interface. A remote attacker can make a 
request that will effectively shut down Tape Engine functionality.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a High risk rating.

Affected Products:
BrightStor Products:
   BrightStor ARCserve Backup r11.5
   BrightStor ARCserve Backup r11.1
   BrightStor ARCserve Backup for Windows r11
   BrightStor Enterprise Backup r10.5
   BrightStor ARCserve Backup v9.01
CA Protection Suites r2:
   CA Server Protection Suite r2
   CA Business Protection Suite r2
   CA Business Protection Suite for Microsoft Small Business 
      Server Standard Edition r2
   CA Business Protection Suite for Microsoft Small Business 
      Server Premium Edition r2

Affected Platforms:
Windows

Status and Recommendation:
Customers using vulnerable versions of BrightStor ARCserve Backup 
should upgrade with the latest patches, which are available for 
download from http://supportconnect.ca.com.
BrightStor ARCserve Backup r11.5 - QO86255
BrightStor ARCserve Backup r11.1 - QO86258
BrightStor ARCserve Backup r11.0 - QI82917
BrightStor Enterprise Backup r10.5 - QO86259
BrightStor ARCserve Backup v9.01 - QO86260

How to determine if the installation is affected:
1. Using Windows Explorer, locate the files "tapeng.dll" and 
   "catirpc.dll". By default, the files are located in the 
   "C:\Program Files\CA\BrightStor ARCserve Backup" directory.
2. Right click on each of the files and select Properties.
3. Select the General tab.
4. If either file timestamp is earlier than what is indicated in 
   the table below, the installation is vulnerable.

File Name      Timestamp              File Size
catirpc.dll    02/12/2007 10:55:14    102400 bytes
tapeeng.dll    02/02/2007 17:05:00    876627 bytes

Workaround:
To reduce exposure, block unauthorized access to ports 6502 (TCP) 
and 111 (UDP).

References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for this vulnerability:
Security Notice for BrightStor ARCserve Backup Tape Engine and 
   Portmapper
http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp
Solution Document Reference APARs:
QO86255, QO86258, QI82917, QO86259, QO86260
CA Security Advisor posting:
CA BrightStor ARCserve Backup Tape Engine and Portmapper 
   Vulnerabilities
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317
CAID: 34817, 35058, 35158, 35159
CAID Advisory links:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34817
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35058
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35158
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35159
Reported By: McAfee
McAfee advisory:
http://www.mcafee.com/us/threat_center/security_advisories.html
CVE References: CVE-2006-6076, CVE-2007-0816, CVE-2007-1447, 
   CVE-2007-1448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0816
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1448
OSVDB Reference: OSVDB-32989, OSVDB-32990, OSVDB-32991, 
   OSVDB-30637
http://osvdb.org/32989
http://osvdb.org/32990
http://osvdb.org/32991
http://osvdb.org/30637

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory, please
send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability"
form. 
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, One CA Plaza, Islandia, NY 11749
        
Contact http://www3.ca.com/contact/
Legal Notice http://www3.ca.com/legal/
Privacy Policy http://www3.ca.com/privacy/
Copyright (c) 2007 CA. All rights reserved.