Issued: October 09, 2008
Last Updated: February 24, 2010

CA's support is alerting customers to multiple security risks associated with CA ARCserve Backup. Multiple vulnerabilities exist that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2008-4397, occurs due to insufficient validation of certain RPC call parameters by the message engine service. An attacker can exploit a directory traversal vulnerability to execute arbitrary commands.

The second vulnerability, CVE-2008-4398, occurs due to insufficient validation by the tape engine service. An attacker can make a request that will crash the service.

The third vulnerability, CVE-2008-4399, occurs due to insufficient validation by the database engine service. An attacker can make a request that will crash the service.

The fourth vulnerability, CVE-2008-4400, occurs due to insufficient validation of authentication credentials. An attacker can make a request that will crash multiple services.

Note: these issues only affect the base product.

Risk Rating

High

Platform

Windows

Affected Products

CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r11.5 Windows*
CA ARCserve Backup r11.1 Windows*
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

*Formerly known as BrightStor ARCserve Backup.

Non-Affected Products

CA ARCserve Backup r12.0 Windows SP1

How to determine if the installation is affected

CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows:

1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under Programs->CA->ARCserve Patch Management->Patch Status.
   
   
2. The main patch status screen will indicate if the respective patch in the table below is currently applied. If the patch is not applied, the installation is vulnerable.

For more information on the ARCserve Patch Management utility, read document TEC446265.

Alternatively, use the file information below to determine if the product installation is vulnerable.

CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows,
CA ARCserve Backup r11.1 Windows:

1. Using Windows Explorer, locate the file "asdbapi.dll". By default, the file is located in the "C:Program FilesCABrightStor ARCserve Backup" directory.
   
   
2. Right click on the file and select Properties.
   
   
3. Select the General tab.
   
   
4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable.

*CA Protection Suites r2 includes CA ARCserve Backup 11.5

Solution

CA has issued the following updates for systems that have an affected base product.

CA ARCserve Backup r12.0 Windows:
Apply Service Pack 1 (RO01340)

CA ARCserve Backup r11.5 Windows:
RO02398 and RO13721

CA ARCserve Backup r11.1 Windows:
RO02396

CA Protection Suites r2:
RO02398

Workaround

None

References

CVE-2008-4397 - Message engine command injection
CVE-2008-4398 - Tape engine denial of service
CVE-2008-4399 - Database engine denial of service
CVE-2008-4400 - Multiple service crash

Acknowledgement

CVE-2008-4397 - Haifei Li of Fortinet's FortiGuard Global Security Research Team
CVE-2008-4398 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company
CVE-2008-4399 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company
CVE-2008-4400 - Greg Linares of eEye Digital Security

Change History

Version 1.0: Initial Release
Version 1.1: Added RO13721 for ARCserve Backup 11.5 Windows as a replacement for a previously issued fix to resolve potential install issues with RO02398.

If additional information is required, please contact CA Support at https://support.ca.com.

If you discover a vulnerability in CA products, please report your findings to our product security response team.