In association with heise online

20 May 2008, 13:57

Security holes in CA ARCserve Backup allow code injection

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider Zero Day Initiative (ZDI) has reported security holes in ARCserve Backup software that allow attackers from the internet to inject and execute arbitrary program code or to cause denial of service without authentication. The vendor has issued updates to patch the vulnerabilities.

One of the flaws ZDI discovered in ARCserver Backup for Linux was traced to a boundary error in the xdr_rwsstring() function. A parameter with a long value can cause a stack-based buffer overflow during processing, allowing injected code to be executed.

Another vulnerability exists in the caloggerd event logger service. Failure to check user-supplied paths allows unauthenticated attackers to append arbitrary data to a file via directory traversal (paths containing ../). This can give them complete control over the system.

According to the ZDI advisory, the security service provider advised CA of the security holes in September of 2006. CA took nearly two years to develop a patch. Considering the frequent discovery of security holes in the recent past and CA's delayed patch releases, ARCserve Backup users may want to think about switching to a better maintained product.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit