Security Notice for CA products running the Alert service
Issued: July 17th, 2007
Updated: April 10th, 2009
CA's customer support is alerting customers to security risks in CA products that implement the Alert service. Multiple vulnerabilities exist that can allow a remote attacker to cause a denial of service or execute arbitrary code. CA has issued an update to address the vulnerabilities.
The vulnerabilities, CVE-2007-3825, are due to insufficient bounds checking on received data by certain RPC procedures. An attacker can cause a buffer overflow, which can lead to arbitrary code execution or service failure.
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
CA Protection Suites r3
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Backup v9.01
How to determine if the installation is affected
For products on Windows:
- Using Windows Explorer, locate the file "alert.exe". By default, the file is located in the "C:Program FilesCASharedComponentsAlert" directory.
- Right click on the file and select Properties.
- Select the Version tab.
- If the file version is earlier than indicated in the below table, the installation is vulnerable.
|Product||File Name||File Version|
|CA Threat Manager for the Enterprise, CA Anti-Virus for the Enterprise||alert.exe||126.96.36.199|
|BrightStor ARCserve Backup r11.5, BrightStor ARCserve Backup r11.1||alert.exe||7.1.758.0|
This security notice has been superseded by the following notice:
CA has provided an update to address the vulnerabilities. The updated Alert service must be manually installed.
For CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8, CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8, CA Protection Suites r3: apply QO89817.
For ARCserve Backup and Enterprise Backup, apply Q096079.
As a temporary workaround, disable the Alert Notification Server service. Please note that the following alert functionality will be disabled:
- Email, Printer, SNMP, SMTP, and broadcast alerts
- Any configured alerts
- Alerts configured for reports and Server Admin
CVE-2007-3825 Multiple Alert buffer overflows
CVE-2007-3825 - An anonymous researcher working with the iDefense VCP.
Version 1.0: Initial Release
Version 1.1: Added CA Anti-Virus for the Enterprise to Affected Products
Version 1.2: Removed BrightStor ARCserve Client agent for Windows from Affected Products
Version 1.3: Changed solution information for BrightStor ARCserve Backup
Version 1.4: Updated ARCserve Backup and Enterprise Backup solution information
Version 1.5: Added ARCserve Backup file version and supersedes information
If additional information is required, please contact CA Technical Support at http://support.ca.com.
If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782