[UNIX] Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 02/13/05
- Previous message: SecuriTeam: "[UNIX] IBM AIX netpmon Local Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 13 Feb 2005 13:23:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor
Vulnerability
------------------------------------------------------------------------
SUMMARY
BrightStor ARCserve Backup r11.1 delivers "leading backup and restore
protection for all classes of Windows, NetWare, Linux and UNIX servers, as
well as Windows, Mac OS X, Linux, UNIX, AS/400 and VMS client
environments".
Remote exploitation of a design flaw in Computer Associates International
Inc's BrightStor ARCserve Backup UniversalAgent for UNIX may allow
execution of arbitrary code.
DETAILS
Vulnerable Systems:
* Computer Associates BrightStor ARCserve Backup r11.1 for Linux and UNIX
The vulnerability specifically exists due to hard coded credentials being
left in the production release of the UniversalAgent for UNIX. An attacker
may use the following credentials to gain full access to the remote file
system and potentially execute arbitrary commands with permissions of the
root user.
Username: \x02root\x03
Password: \x02
Analysis:
The BrightStor software uses a network agent to perform backups on nodes
across the network. Typically, the agent service requires either
administrative credentials or a node-specific password and is capable of
backing up files and remotely executing commands. The agent will listen on
TCP and UDP ports 6051 by default and is installed on every node that the
BrightStor server is configured to backup.
Workaround:
Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to the backup port on affected systems and
services. The login credentials are sent in cleartext and may also be used
to detect connections from attackers.
Vendor Status:
The following vendor advisories are available for this issue:
* BAB 7.0 Linux
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63672>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63672
* BAB 9.0 Linux Japanese
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63673>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63673
* BAB 9.0 Linux English
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63674>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63674
* BEB 10.0 AIX
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63675>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63675
* BEB 10.0 HPUX
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63676>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63676
* BEB 10.0 Solaris
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63677>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63677
* BEB 10.5 Tru64
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63678>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63678
* BEB 10.5 HP
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63679>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63679
* BEB 10.5 AIX
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63680>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63680
* BEB 10.5 Solaris
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63681>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63681
* BAB 11.1 Macintosh
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63682>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63682
* BAB 11.1 Mainframe Linux
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63683>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63683
* BAB 11.1 Tru64
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63684>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63684
* BAB 11.1 Linux
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63685>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63685
* BAB 11.1 HP
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63691>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63691
* BAB 11.1 AIX
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63687>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63687
* BAB 11.1 - Solaris
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63688>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63688
* BEB 10.0 Mainframe Linux
<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63689>
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO63689
Disclosure Timeline:
12/02/2004 - Initial vendor notification
12/02/2004 - Initial vendor response
02/10/2005 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=198&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=198&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] IBM AIX netpmon Local Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [VulnWatch] iDEFENSE Security Advisory 02.10.05: Computer Associates BrightStor ARCserve Backup Univ
... Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor ... protection
for all classes of Windows, NetWare, Linux and UNIX servers, ... BAB 9.0 Linux Japanese
... BEB 10.0 HPUX ... (VulnWatch) - [Full-Disclosure] iDEFENSE Security Advisory 02.10.05: Computer Associates BrightStor ARCserve Backu
... Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor ... protection
for all classes of Windows, NetWare, Linux and UNIX servers, ... BAB 9.0 Linux Japanese
... BEB 10.0 HPUX ... (Full-Disclosure) - [UNIX] Linux Kernel i386 SMP Page Fault Handler Privilege Escalation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Locally exploitable flaw has been
found in the Linux page fault handler ... an operating system kernel is handling of virtual
memory. ... stack expansion if the access goes just below application's actual stack
... (Securiteam) - [UNIX] Linux Kernel Socket Buffer Memory Exhaustion DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a memory
exhaustion vulnerability in Linux Kernel ... system memory resources can be ...
(Securiteam) - [UNIX] Linux ISO9660 Handling Flaws
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A number of kernel-level checking
flaws were discovered in the Linux ... ISO9660 filesystem handler in Linux
... (Securiteam)
