Issued: June 15, 2009
Last Updated: July 16, 2009

CA's technical support is alerting customers to security risks with CA ARCserve Backup. Multiple vulnerabilities exist in the message engine that can allow a remote attacker to cause a denial of service. CA has issued an update to address the vulnerabilities.

The vulnerabilities, CVE-2009-1761, occur due to insufficient verification of data sent to the message engine. An attacker can make requests that can cause the message engine to crash.

Risk Rating

Medium

Platform

Windows

Affected Products

CA ARCserve Backup r11.1 SP2
CA ARCserve Backup r11.5 SP3 and below
CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r12.0 SP1 Windows

Non-Affected Products

CA ARCserve Backup r11.5 SP 4 Windows
CA ARCserve Backup r12.0 SP 2 Windows
CA ARCserve Backup r12.5

How to determine if the installation is affected

CA ARCserve Backup r12.0, r12.0 SP1 Windows:

1. Run the ARCserve Patch Management utility. From the Windows Start menu, the program can be found under Programs->CA->ARCserve Patch Management->Patch Status.
   
   
2. The main patch status screen will indicate if the patch in the below table is applied. If the patch is not applied, then the installation is vulnerable.

For more information on the ARCserve Patch Management utility, read document TEC446265.

Solution

CA ARCserve Backup r12.0, r12.0 SP1 Windows:
Install Service Pack 2 RO08383.

CA ARCserve Backup r11.5 SP3 and below:
Apply QO99129

CA ARCserve Backup r11.1 SP2:
Apply latest security update (RO04382)

References

CVE-2009-1761 - Message engine denial of service

Acknowledgement

CVE-2009-1761 - iViZ Security Research Team

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Support at https://support.ca.com/.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.