CERTVU:936363CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability
0.592 Medium
EPSS
Percentile
97.7%
Overview
The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a pre-authentication remote code execution vulnerability. Arbitrary code will run with NT AUTHORITY\SYSTEM privileges. CA ARCserve Backup r16 SP1 was reported to be vulnerable.
Description
The Offensive Security advisory states:
By replacing a particular xdr_rwslist object expected in an RPC authentication packet (opcode 0x7a) with another xdr_rwobject, function sub_416E80 will call a non-existent or invalid virtual function (RWSlistCollectables::at) that can be controlled by the attacker. Authentication is not required to trigger the bug and successful exploitation of this vulnerability for the caauthd.exe process will lead to remote code execution with NT AUTHORITY\SYSTEM privileges. Failed exploitation will lead to a denial of service.
Additional details may be found in the full Offensive Security advisory and CA20121018-01: Security Notice for CA ARCserve Backup.
Impact
An unauthenticated attacker may be able to execute remote code with NT AUTHORITY\SYSTEM privileges.
Solution
Apply a Patch
* CA ARCserve Backup for Windows r12.5 apply patch RO49917
* CA ARCserve Backup for Windows r15 apply patch RO49916
* CA ARCserve Backup for Windows r16 apply patch RO49750
If you cannot patch for whatever reason please consider the following workarounds.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks.
Use the Microsoft Enhanced Mitigation Experience Toolkit
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7.
Enable DEP in Microsoft Windows
Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts “Understanding DEP as a mitigation technology” part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.
Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.
Vendor Information
936363
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
CA Technologies Affected
Notified: July 11, 2012 Updated: August 31, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 7.8 | E:POC/RL:OF/RC:C |
| Environmental | 7.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- <http://www.offensive-security.com/vulndev/ca-arcserve-rwslist-remote-code-execution/>
- <https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}>
Acknowledgements
Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2012-2971 |
|---|---|
| Date Public: | 2012-08-31 Date First Published: |
Related
