Security holes in CA ARCserve Backup allow code injection
Security service provider Zero Day Initiative (ZDI) has reported security holes in ARCserve Backup software that allow attackers from the internet to inject and execute arbitrary program code or to cause denial of service without authentication. The vendor has issued updates to patch the vulnerabilities.
One of the flaws ZDI discovered in ARCserver Backup for Linux was traced to a boundary error in the xdr_rwsstring()
function. A parameter with a long value can cause a stack-based buffer overflow during processing, allowing injected code to be executed.
Another vulnerability exists in the caloggerd
event logger service. Failure to check user-supplied paths allows unauthenticated attackers to append arbitrary data to a file via directory traversal (paths containing ../
). This can give them complete control over the system.
According to the ZDI advisory, the security service provider advised CA of the security holes in September of 2006. CA took nearly two years to develop a patch. Considering the frequent discovery of security holes in the recent past and CA's delayed patch releases, ARCserve Backup users may want to think about switching to a better maintained product.
See also:
- Security Notice for CA ARCserve Backup caloggerd and xdr functions, CA security notice
- CA BrightStor ARCserve Backup XDR Parsing Buffer Overflow Vulnerability, Zero Day Initiative Advisory
- CA BrightStor ARCserve Backup caloggerd Arbitrary File Writing Vulnerability, Zero Day Initiative Advisory
(mba)