Security Notice for CA ARCserve Backup - CA Technologies
{{search ? 'Close':'Search'}}

Security Notice for CA ARCserve Backup

Issued: October 09, 2008
Last Updated: February 24, 2010

CA's support is alerting customers to multiple security risks associated with CA ARCserve Backup. Multiple vulnerabilities exist that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2008-4397, occurs due to insufficient validation of certain RPC call parameters by the message engine service. An attacker can exploit a directory traversal vulnerability to execute arbitrary commands.

The second vulnerability, CVE-2008-4398, occurs due to insufficient validation by the tape engine service. An attacker can make a request that will crash the service.

The third vulnerability, CVE-2008-4399, occurs due to insufficient validation by the database engine service. An attacker can make a request that will crash the service.

The fourth vulnerability, CVE-2008-4400, occurs due to insufficient validation of authentication credentials. An attacker can make a request that will crash multiple services.

Note: these issues only affect the base product.

Risk Rating

High

Platform

Windows

Affected Products

CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r11.5 Windows*
CA ARCserve Backup r11.1 Windows*
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

*Formerly known as BrightStor ARCserve Backup.

Non-Affected Products

CA ARCserve Backup r12.0 Windows SP1

How to determine if the installation is affected

CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows:

  1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under Programs->CA->ARCserve Patch Management->Patch Status.

  2. The main patch status screen will indicate if the respective patch in the table below is currently applied. If the patch is not applied, the installation is vulnerable.
ProductPatch
CA ARCserve Backup r12.0 WindowsRO01340
CA ARCserve Backup r11.5 WindowsRO02398, RO13721


For more information on the ARCserve Patch Management utility, read document TEC446265.

Alternatively, use the file information below to determine if the product installation is vulnerable.

CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows,
CA ARCserve Backup r11.1 Windows:

  1. Using Windows Explorer, locate the file "asdbapi.dll". By default, the file is located in the "C:Program FilesCABrightStor ARCserve Backup" directory.

  2. Right click on the file and select Properties.

  3. Select the General tab.

  4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable.
Product versionFile NameFile SizeTimestamp
CA ARCserve Backup r11.1 Windowsasdbapi.dll856064 bytes09/05/2008 10:35:19
CA ARCserve Backup r11.5 Windows*asdbapi.dll1249354 bytes09/05/2008 11:14:04
CA ARCserve Backup r12.0 Windowsasdbapi.dll992520 bytes08/09/2008 4:51:58


*CA Protection Suites r2 includes CA ARCserve Backup 11.5

Solution

CA has issued the following updates for systems that have an affected base product.

CA ARCserve Backup r12.0 Windows:
Apply Service Pack 1 (RO01340)

CA ARCserve Backup r11.5 Windows:
RO02398 and RO13721

CA ARCserve Backup r11.1 Windows:
RO02396

CA Protection Suites r2:
RO02398

Workaround

None

References

CVE-2008-4397 - Message engine command injection
CVE-2008-4398 - Tape engine denial of service
CVE-2008-4399 - Database engine denial of service
CVE-2008-4400 - Multiple service crash

Acknowledgement

CVE-2008-4397 - Haifei Li of Fortinet's FortiGuard Global Security Research Team
CVE-2008-4398 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company
CVE-2008-4399 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company
CVE-2008-4400 - Greg Linares of eEye Digital Security

Change History

Version 1.0: Initial Release
Version 1.1: Added RO13721 for ARCserve Backup 11.5 Windows as a replacement for a previously issued fix to resolve potential install issues with RO02398.

If additional information is required, please contact CA Support at https://support.ca.com.

If you discover a vulnerability in CA products, please report your findings to our product security response team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing