Title: [CAID 35198, 35276]: CA BrightStor ARCserve Backup Media Server Vulnerabilities CA Vuln ID (CAID): 35198, 35276 CA Advisory Date: 2007-04-24 Reported By: ZDI Impact: Remote attackers can cause a denial of service or potentially execute arbitrary code. Summary: CA BrightStor ARCserve Backup Media Server contains multiple vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2007-1785, addresses an issue with the processing of an object handle. The second vulnerability, CVE-2007-2139, is due to insufficient bounds checking. In both cases, a remote unauthenticated attacker can execute arbitrary code with escalated privileges. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Protection Suites r2: CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows Status and Recommendation: Customers using vulnerable versions of BrightStor ARCserve Backup should upgrade with the latest patches, which are available for download from http://supportconnect.ca.com. BrightStor ARCserve Backup r11.5 SP3 - QO87569 BrightStor ARCserve Backup r11.5 SP2 - QO87570 BrightStor ARCserve Backup r11.1 - QO87573 BrightStor ARCserve Backup r11.0 - QI82917 BrightStor Enterprise Backup r10.5 - QO87575 BrightStor ARCserve Backup v9.01 - QO87574 How to determine if the installation is affected: 1. Using Windows Explorer, locate the file "mediasvr.exe". 2. By default, the file is located in the "C:\Program Files\CA\BrightStor ARCserve Backup" directory. 3. Right click on the file and select Properties. 4. Select the General tab. 5. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Product Version File Name Timestamp File Size r11.5 SP3 mediasvr.exe 04/03/2007 10:07:58 110592 r11.5 SP2 mediasvr.exe 04/03/2007 10:00:04 106496 r11.1 mediasvr.exe 04/03/2007 09:55:18 106496 r10.5 mediasvr.exe 04/03/2007 09:46:26 106496 v9.01 mediasvr.exe 04/03/2007 09:51:42 9830 Workaround: CA recommends that BrightStor ARCserve Backup users who cannot apply the patches at this time implement the following temporary workaround to mitigate the vulnerability: 1. Rename the "mediasvr.exe" file to a non-functional file name, such as "mediasvr.exe.disable". 2. Restart the CA BrightStor Tape Engine service. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: BrightStor ARCserve Backup Media Server Security Notice http://supportconnectw.ca.com/public/storage/infodocs/babmedser-secnotice.asp Solution Document Reference APARs: QO87569, QO87570, QO87573, QI82917, QO87575, QO87574 CA Security Advisor posting: CA BrightStor ARCserve Backup Media Server Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=136549 CAID: 35198, 35276 CAID Advisory links: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35198 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35276 Reported By: ZDI ZDI Advisory: ZDI-07-022 http://www.zerodayinitiative.com/advisories/ZDI-07-022.html CVE References: CVE-2007-1785, CVE-2007-2139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2139 OSVDB References: OSVDB-34126, OSVDB-34127 http://osvdb.org/34126 http://osvdb.org/34127 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved.
