[NT] CA ARCserve Backup RPC "handle_t" Argument Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



CA ARCserve Backup RPC "handle_t" Argument Vulnerability
------------------------------------------------------------------------


SUMMARY

" <http://www.ca.com/us/data-loss-prevention.aspx> CA ARCserve is a
reliable and comprehensive data protection solution trusted by hundreds of
thousands users. It offers market-leading features, functionality and
performance to provide data protection that minimizes costs, streamlines
administrative tasks and operations and is part of a comprehensive
integrated recovery solution." Secunia Research has discovered a
vulnerability in BrightStor ARCserve Backup, which can be exploited by
malicious people to compromise a vulnerable system.

DETAILS

Vulnerable Systems:
* CA ARCserve Backup version 11.5 SP4 build 4491

The vulnerability is caused due to insufficient validation of "handle_t"
arguments passed to RPC endpoints. Passing object pointers to procedures
that expect different types can result in arbitrary code execution.

Time Table:
24/10/2007 - Vendor notified.
24/10/2007 - Vendor response.
21/11/2007 - Status update requested.
21/11/2007 - Vendor responds that development is working on patches.
07/04/2008 - Status update requested.
08/04/2008 - Vendor notifies expected release in May 2008.
21/05/2008 - Vendor notifies expected release in October 2008.
10/11/2008 - Vendor informed that October release did not fix the reported
vulnerability in version 11.5.
10/11/2008 - Vendor requests additional information.
10/11/2008 - Additional information provided to the vendor.
11/11/2008 - Vendor asks for further clarification.
11/11/2008 - Additional information about testing provided to vendor.
14/11/2008 - Vendor informed that fixes for version 12 correctly addressed
the reported vulnerability.
18/11/2008 - Vendor provides beta patch for version 11.5.
20/11/2008 - Vendor informed that beta patch fixes the vulnerability.
11/12/2008 - Public disclosure.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5415>
CVE-2008-5415


ADDITIONAL INFORMATION

The information has been provided by Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2007-82/>
http://secunia.com/secunia_research/2007-82/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] Openfire Jabber-Server Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... filter which is responsible for authentication could be completely ... SQL injection vulnerability. ... Since the vendor didn't release a patch within the last 6 months it is ...
    (Securiteam)
  • [UNIX] Multiple Vendor ImageMagick Sign Extension Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor ImageMagick Sign Extension Vulnerability ...
    (Securiteam)
  • [UNIX] Happymall E-Commerce Input Validation Flaw Lets Remote Users Execute Arbitrary Commands
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Revin Aldi reported an input validation vulnerability in the Happymall ... The vendor reports that the 'member_html.cgi' script is also affected. ...
    (Securiteam)
  • [NT] w3wp DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... 1/12/2006 - Vendor requested for additional info ... recv(conn_socket, szBuffer, 256, 0); ...
    (Securiteam)
  • [NT] Trend Micro HouseCall ActiveX Control Arbitrary Code Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Trend Micro HouseCall ActiveX Control Arbitrary Code Execution ... The vulnerability is caused due to an implementation error within the ... 18/08/2008 - Vendor notified. ...
    (Securiteam)