__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilitites [CA Vuln ID (CAID): 34817, 35058, 35158, 35159] March 22, 2007 15:00 GMT Number R-185 ______________________________________________________________________________ PROBLEM: CA BrightStor ARCserv Backup contains four vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. PLATFORM: Affected Products: BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Protection Suites r2: CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows DAMAGE: Can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Can allow a remote attacker to cause a ASSESSMENT: denial of service or possibly execute arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-185.shtml ORIGINAL BULLETIN: http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-6076 CVE-2007-0816 CVE-2007-1447 CVE-2007-1448 ______________________________________________________________________________ [***** Start CA Vuln ID (CAID): 34817, 35058, 35158, 35159 *****] CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilities On March 15, 2007, CA published a security notice to address multiple vulnerabilities in BrightStor ARCserve Backup. Title: [CAID 34817, 35058, 35158, 35159]: CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilities CA Vuln ID (CAID): 34817, 35058, 35158, 35159 CA Advisory Date: 2007-03-15 Reported By: McAfee Impact: Remote attackers can cause a denial of service or potentially execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains four vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2006-6076, is due to insufficient bounds checking in the Tape Engine, which can result in a buffer overflow and arbitrary code execution. The second vulnerability, CVE-2007-0816, is related to how invalid parameters are handled by the portmapper (catirpc.dll) service. By sending a specially crafted request, a remote attacker can crash the service. The third vulnerability, CVE-2007-1447, is due to a memory corruption issue that occurs during processing of RPC procedure arguments by the Tape Engine. The vulnerability can result in a denial of service, and can potentially be exploited to execute arbitrary code. The fourth vulnerability, CVE-2007-1448, is due to the presence of an RPC function that, when called, will disable the Tape Engine interface. A remote attacker can make a request that will effectively shut down Tape Engine functionality. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Protection Suites r2: CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows Status and Recommendation: Customers using vulnerable versions of BrightStor ARCserve Backup should upgrade with the latest patches, which are available for download from http://supportconnect.ca.com. BrightStor ARCserve Backup r11.5 - QO86255 BrightStor ARCserve Backup r11.1 - QO86258 BrightStor ARCserve Backup r11.0 - QI82917 BrightStor Enterprise Backup r10.5 - QO86259 BrightStor ARCserve Backup v9.01 - QO86260 How to determine if the installation is affected: 1. Using Windows Explorer, locate the files "tapeng.dll" and "catirpc.dll". By default, the files are located in the "C:\Program Files\CA\BrightStor ARCserve Backup" directory. 2. Right click on each of the files and select Properties. 3. Select the General tab. 4. If either file timestamp is earlier than what is indicated in the table below, the installation is vulnerable. File Name Timestamp File Size catirpc.dll 02/12/2007 10:55:14 102400 bytes tapeeng.dll 02/02/2007 17:05:00 876627 bytes Workaround: To reduce exposure, block unauthorized access to ports 6502 (TCP) and 111 (UDP). References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Security Notice for BrightStor ARCserve Backup Tape Engine and Portmapper http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp Solution Document Reference APARs: QO86255, QO86258, QI82917, QO86259, QO86260 CA Security Advisor posting: CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilities http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317 CAID: 34817, 35058, 35158, 35159 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34817 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35058 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35158 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35159 Reported By: McAfee McAfee advisory: http://www.mcafee.com/us/threat_center/security_advisories.html CVE References: CVE-2006-6076, CVE-2007-0816, CVE-2007-1447, CVE-2007-1448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0816 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1448 OSVDB Reference: OSVDB-32989, OSVDB-32990, OSVDB-32991, OSVDB-30637 http://osvdb.org/32989 http://osvdb.org/32990 http://osvdb.org/32991 http://osvdb.org/30637 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx [***** End CA Vuln ID (CAID): 34817, 35058, 35158, 35159 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CA BrightStor for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-175: Security Vulnerability in the ipmitool(1m) Interface to Sun Fire R-176: Apple Security Update 2007-003 R-177: Linux Kernel Vulnerable to DoS via ipv6_getsockopt_sticky() Function R-178: Bind Security Update R-179: Sun Java System Web Server Vulnerability R-180: Kernel Security and Bug Fix Update R-181: OpenBSD's IPV6 MBUFS Vulnerability R-182: OPC Server Vulnerability R-183: OpenAFS Vulnerability R-184: libwpd Security Update