SupportConnect - Security Notice for CA ARCserve Backup Tape Engine and Portmapper

Security Notice for
CA ARCserve Backup Tape Engine and Portmapper

Last Updated: March 20, 2007

CA's customer support is alerting customers to multiple security risks with CA ARCserve Backup. Four vulnerabilities exist that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2006-6076, is due to insufficient bounds checking in the Tape Engine, which can result in a buffer overflow and arbitrary code execution.

The second vulnerability, CVE-2007-0816, concerns how invalid parameters are handled by the portmapper (catirpc.dll) service. By sending a specially malformed request, a remote attacker can crash the service.

The third vulnerability, CVE-2007-1447, is due to a memory corruption occurring with the processing of RPC procedure arguments by the Tape Engine. The vulnerability can result in a denial of service, but potentially can be used to execute arbitrary code.

The fourth vulnerability, CVE-2007-1448, is due to the presence of a RPC function that when called, will disable the Tape Engine interface. A remote attacker can make a request that will effectively shut down Tape Engine functionality.

Risk Rating

High

Affected Products

CA ARCserve Backup r11.5
CA ARCserve Backup r11.1
CA ARCserve Backup r11 for Windows
BrightStor Enterprise Backup r10.5
CA ARCserve Backup v9.01
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

How to determine if the installation is affected

  1. Using Windows Explorer, locate the files "tapeng.dll" and "catirpc.dll". By default, the files are located in the "C:\Program Files\CA\CA ARCserve Backup" directory.
  2. Right click on each of the files and select Properties.
  3. Select the General tab.
  4. If either file timestamp is earlier than indicated in the below table, the installation is vulnerable.

    File Name Timestamp File Size
    catirpc.dll 02/12/2007 10:55:14 102400 bytes
    tapeeng.dll 02/02/2007 17:05:00 876627 bytes

Solution

CA has issued the following patches to address the vulnerabilities.

CA ARCserve Backup r11.5 - QO86255
CA ARCserve Backup r11.1 - QO86926
CA ARCserve Backup r11.0 - QI82917
BrightStor Enterprise Backup r10.5 - QO86259
CA ARCserve Backup v9.01 - QO86260

Workaround

To reduce exposure, block unauthorized access to ports 6502 (TCP) and 111 (UDP).

References

CVE-2006-6076 Tape Engine buffer overflow
CVE-2007-0816 catirpc.dll denial of service
CVE-2007-1447 Tape Engine memory corruption
CVE-2007-1448 Disable Tape Engine

Acknowledgement

CA would like to thank McAfee for reporting issues CVE-2006-6076, CVE-2007-1447, and CVE-2007-1448.

If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at http://www3.ca.com/securityadvisor/vulninfo/submit.aspx.