SupportConnect - Security Notice for CA products running the Alert service

Security Notice for CA products running the Alert service

Issued: July 17th, 2007
Updated: March 19th, 2007

CA's customer support is alerting customers to security risks in CA products that implement the Alert service. Multiple vulnerabilities exist that can allow a remote attacker to cause a denial of service or execute arbitrary code. CA has issued an update to address the vulnerabilities.

The vulnerabilities, CVE-2007-3825, are due to insufficient bounds checking on received data by certain RPC procedures. An attacker can cause a buffer overflow, which can lead to arbitrary code execution or service failure.

Risk Rating

High

Affected Products

CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
CA Protection Suites r3
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Backup v9.01

How to determine if the installation is affected

For products on Windows:

  1. Using Windows Explorer, locate the file "alert.exe". By default, the file is located in the "C:\Program Files\CA\SharedComponents\Alert" directory.

  2. Right click on the file and select Properties.

  3. Select the Version tab.

  4. If the file version is earlier than indicated in the below table, the installation is vulnerable.

    File Name File Version
    alert.exe 8.0.255.0

Solution

CA has provided an update to address the vulnerabilities. The updated Alert service must be manually installed.

For CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8, CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8,
CA Protection Suites r3:
apply QO89817.

A patch is currently not available for BrightStor ARCserve Backup.

Workaround

As a temporary workaround, disable the Alert Notification Server service. Please note that the following alert functionality will be disabled:

  • Email, Printer, SNMP, SMTP, and broadcast alerts

  • Any configured alerts

  • Alerts configured for reports and Server Admin

References

CVE-2007-3825 Multiple Alert buffer overflows

Acknowledgement

CVE-2007-3825 - An anonymous researcher working with the iDefense VCP.

Change History

Version 1.0: Initial Release
Version 1.1: Added CA Anti-Virus for the Enterprise to Affected Products
Version 1.2: Removed BrightStor ARCserve Client agent for Windows from Affected Products
Version 1.3: Changed solution information for BrightStor ARCserve Backup

If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at https://www.ca.com/us/securityadvisor/vulninfo/submit.aspx.