Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

CA BrightStor ARCserve Backup Agent Protection

Attack ID: CPAI-2005-125
Publish Date:
Last Update:
Category: Remote Code Execution
Vulnerable Systems: BrightStor ARCserve Backup (BAB) r11.1 Windows
BrightStor ARCserve Backup 11 for Windows
BrightStor ARCserve Backup 9.0 Windows
BrightStor ARCserve Backup r11.1 (64-bit) for Windows
BrightStor ARCserve Backup r11.1 Client Agent for Windows
BrightStor ARCserve Backup Release 11 (64-bit) for Windows
BrightStor ARCserve Backup v9.01 Client Agent for Windows
BrightStor ARCserve Backup v9.01 Client Agent for Windows Non-English
BrightStor ARCserve Backup v9.01 for Windows (64bit edition)
BrightStor ARCserve Backup v9.01 for Windows Non-English
BrightStor Enterprise Backup 10.0
BrightStor Enterprise Backup 10.5
BrightStor Enterprise Backup v10.5 for Windows (64bit edition)

Source:

US-CERT VU#279774

Description: Computer Associates BrightStor ARCserve Backup provides backup and recovery protection through Backup Agents for Windows server systems, Linux, Mac OS X and UNIX client environments. A vulnerability in the Backup Agent for Microsoft SQL servers allows a remote attacker to either crash the Agent or to execute arbitrary code on the system running the vulnerable Backup Agent.

Severity:
Details:

The vulnerability specifically exists within BrightStor ARCserve Backup Agent for SQL. By default, the Agents listen on port 6070/TCP. This Agent is a component of the BrightStor ARCserve Backup system for handling backups of Microsoft SQL server data. When an overly long string (over 3168 bytes) is sent to the default port,  a buffer overflow occurs.

Attack Detection: Users of VPN-1 NGX R60 who have applied the solution outlined below will identify the attack by the following log entries:

Attack Name: CA BrightStor MS-SQL Agent Protection Violation
Attack Information:
Buffer overflow attempt
Illegal message length

Solution:

Users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. On the SmartDefense navigation tree, click Application Intelligence > CA BrightStor Backup and enable MS-SQL Agent Protection.


2. Enforce security policy to all modules.

Industry Reference: CAN-2005-1272
Additional Information: This Update also includes:
- Microsoft Color Management Module Protection (CPAI-2005-124)
- Remote Desktop Protocol (RDP) Protection (CPAI-2005-126)
- DirectConnect Peer to Peer Protocol Protection (CPAI-2005-127)