CA warns of exploit for BrightStor ARCserve Backup

Computer Associates have once again warned of a critical vulnerability in their popular backup solution BrightStor ARCserve Backup. Rather than a patch, this time round users are faced with a workaround which provisionally fixes the vulnerability, as there is already a published exploit which binds a shell to a network port. The risk of an attack via the internet is relatively small, as the ports used by BrightStor are usually blocked at the firewall. This does not, however, offer protection from attackers on the local network.

The cause of the problem is apparently the import of unchecked data from RPC packets, which allows data to be written to memory or accessed in memory to execute code on the system. According to the security advisory, the bug is in mediasvr.exe. As a workaround, CA suggests renaming mediasvr.exe to, for example, mediasvr.exe.disable and restarting the BrightStor Tape Engine service. This deactivates the vulnerable components. However, it also renders command line utilities such as ca_backup and ca_restore unavailable. The vendor will publish information on its website as soon as a patch is available.

In the last six months, CA has reported seven critical vulnerabilities in BrightStor ARCserve, all of which allow a system to be taken over. Two weeks ago, an update to fix a vulnerability in the Tape Engine was released. Since it can be assumed that further critical errors will be discovered in ARCserve, users should consider taking additional security measures where this product continues to be used.

See also:

• Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Vulnerability, security advisory from Shirkdog Security
• CA BrightStor ARCserve Backup Mediasvr.exe vulnerability, workaround from CA

(mba)