Security update for BrightStor ARCserve Backup

Several security holes in CA's BrightStor ARCserve Backup can be exploited to break into and get control of a system. Mainly the Tape Engine and the Message Engine RPC are affected; they can be reached over the network on TCP ports 6502 and 6503. Five of the holes are based on buffer overflows and could be used to inject and execute code in a vulnerable system's memory over networks. It suffices to send a specially prepared packet to the engines.

The following software is affected:

BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup for Windows r11
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Backup v9.01
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

CA has provided updates that close the holes. In the past three months, the vendor has had to deal with a number of critical holes in ARCserve. CA seems to be settling into a monthly rhythm in the supply of security updates for its Backup products.

See also:

• CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities, CA's security advisory
• Zero Day Initiative (ZDI), ZDI's security advisories on the holes in ARCserve

(ehe)