Computer Associates' Backup Line Sports Big Bug

The flaw in Computer Associates' Windows versions of BrightStor ARCserve Backup is the second serious vulnerability spotted in corporate backup-and-restore software in the last two months. In June, Symantec's Veritas Backup Exec was found to have a number of vulnerabilities. Patches were issued, but widespread exploits pounced on still-vulnerable systems almost immediately.

History was also a reason why Symantec on Wednesday updated its overall Internet threat alert from a "1" to a "2."

"Historically, buffer overflow vulnerabilities in the Computer Associates ARCserve product line have been quickly targeted and exploited by attackers," said Symantec in an alert sent to customers of its DeepSight Threat Management System. "As such, attackers may already have some level of familiarity with the service and the development of attack tools may be somewhat expedited as a result.

"The team believes that this vulnerability represents a significant threat and should be mitigated as soon as possible," Symantec continued.

id
unit-1659132512259
type
Sponsored post

The problem lies in the Backup Agents in several versions of ARCserve for Windows -- including 9.01, 10, 10.5, 11.0, and 11.1 -- which can be exploited by sending a specially-crafted string to port 6070. Once the attacker creates a buffer overflow, he or she has full privileges on the compromised system, and can then do what he or she wants, including loading code remotely to further damage the machine or hijack it for other uses.

Compute Associates has patched the vulnerable versions and published a security advisory outlining the problem. CA labeled the ARCserve flaws as "critical" with the overall risk to customers as "high."

Symantec also updated its original advisory to make note of a second port that should be blocked until patches are in place.

"Although the original report of this vulnerability claims that the flaw is exposed via port 6070, the Threat Analyst Team believes that this information is in error and TCP/UDP ports 6050 are, in fact, utilized by the BrightStor products," Symantec wrote in the alert. "To be on the safe side, it is strongly encouraged that traffic targeting both TCP and UDP ports 6070 and 6050 be filtered at the perimeter."

Vulnerability intelligence firm iDefense, which was recently acquired by VeriSign, discovered the vulnerability in late April after a researcher submitted it to the Reston, Va.-based company through its bug bounty program.