Executive Summary

Summary
Title CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability
Informations
Name VU#936363 First vendor Publication 2012-10-30
Vendor VU-CERT Last vendor Modification 2012-10-30
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#936363

CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability

Original Release date: 30 Oct 2012 | Last revised: 30 Oct 2012

Overview

The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a pre-authentication remote code execution vulnerability. Arbitrary code will run with NT AUTHORITY\SYSTEM privileges. CA ARCserve Backup r16 SP1 was reported to be vulnerable.

Description

The Offensive Security advisory states:

    By replacing a particular xdr_rwslist object expected in an RPC authentication packet (opcode 0x7a) with another xdr_rwobject, function sub_416E80 will call a non-existent or invalid virtual function (RWSlistCollectables::at) that can be controlled by the attacker. Authentication is not required to trigger thebugand successful exploitation of this vulnerability for the caauthd.exe process will lead to remote code execution with NT AUTHORITY\SYSTEM privileges. Failed exploitation will lead to a denial of service.

Additional details may be found in the full Offensive Security advisory and CA20121018-01: Security Notice for CA ARCserve Backup.

Impact

An unauthenticated attacker may be able to execute remote code with NT AUTHORITY\SYSTEM privileges.

Solution

Apply a Patch

  • CA ARCserve Backup for Windows r12.5 apply patch RO49917
  • CA ARCserve Backup for Windows r15 apply patch RO49916
  • CA ARCserve Backup for Windows r16 apply patch RO49750

    If you cannot patch for whatever reason please consider the following workarounds.

  • Restrict access

    As a general good security practice, only allow connections from trusted hosts and networks.

    Use the Microsoft Enhanced Mitigation Experience Toolkit

    The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7.

    Enable DEP in Microsoft Windows

    Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

    Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    CA TechnologiesAffected11 Jul 201231 Aug 2012
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    GroupScoreVector
    Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
    Temporal7.8E:POC/RL:OF/RC:C
    Environmental7.8CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

    References

    • http://www.offensive-security.com/vulndev/ca-arcserve-rwslist-remote-code-execution/
    • https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}

    Credit

    Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.

    This document was written by Jared Allar.

    Other Information

    • CVE IDs:CVE-2012-2971
    • Date Public:31 Aug 2012
    • Date First Published:30 Oct 2012
    • Date Last Updated:30 Oct 2012
    • Document Revision:24

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

    Original Source

    Url : http://www.kb.cert.org/vuls/id/936363

    CWE : Common Weakness Enumeration

    % Id Name
    100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

    SAINT Exploits

    Description Link
    CA ARCserve Backup Authentication service invalid virtual function call More info here

    OpenVAS Exploits

    Date Description
    2012-11-20 Name : CA ARCserve Backup RPC Services Multiple Vulnerabilities (Windows)
    File : nvt/gb_ca_arcserve_backup_rpc_services_mult_vuln.nasl

    Information Assurance Vulnerability Management (IAVM)

    Date Description
    2012-10-25 IAVM : 2012-B-0106 - Multiple Vulnerabilities in Computer Associates ARCserve Backup
    Severity : Category I - VMSKEY : V0034512

    Snort® IPS/IDS

    Date Description
    2014-01-10 portmap CA BrightStor ARCserve tcp procedure 122 invalid function call attempt
    RuleID : 24639 - Revision : 8 - Type : PROTOCOL-RPC

    Nessus® Vulnerability Scanner

    Date Description
    2012-11-05 Name : The remote host has a backup application installed that is affected by multip...
    File : arcserve_backup_ca20121018.nasl - Type : ACT_GATHER_INFO