[NT] ARCserveIT Storage Management Backup Account Password Disclosure

From: support@securiteam.com
Date: 10/05/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] ARCserveIT Storage Management Backup Account Password Disclosure
Message-Id: <20011005135402.487B2138C2@mail.der-keiler.de>
Date: Fri,  5 Oct 2001 15:54:02 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ARCserveIT Storage Management Backup Account Password Disclosure
------------------------------------------------------------------------

SUMMARY

 <http://www.ca.com/arcserveit/> ARCserveIT is a data protection
backup/restore application. The product suffers from a security problem
where the installation creates a world-readable file containing the backup
account username and password.

DETAILS

Vulnerable systems:
ARCserve for NT version 6.61 SP2a
ARCserve 2000 Advanced Edition version 7.0, build 1050, SP2

A file sharing security vulnerability has been found in Computer
Associates' ARCserveIT for Windows NT and 2000. By default the
installation creates a world-readable file that contains the backup
account username and password (a file called 'aremote.dmp' that resides
under ARCSERVE$\DR\<NAME of SERVER>\aremote.dmp).

The default installation of ARCserveIT for Microsoft Windows NT and 2000
also creates a hidden share ('ARCSERVE$') with share permissions that
allow the group EVERYONE to access this share.

Impact:
A remote attacker can access the shared directory and gain knowledge of
the backup account user name and password. This would be the administrator
account if the backup program is executed from the administrator account.

Solution:
Apply the following patch:
<http://support.ca.com/Download/patches/asitnt/QO00945.html>
http://support.ca.com/Download/patches/asitnt/QO00945.html

ADDITIONAL INFORMATION

The information has been provided by
<mailto:rdr@steelrat.kernelsutra.com> ron.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.