Our original fixes for the BrightStor ARCserve Backup vulnerabilities that we publicly disclosed on 2006-10-05 (http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&pid=93775&date=2006/10) did not completely resolve one of the vulnerabilities. Consequently, we have released new fixes that need to be applied. Please note that these do not replace the original fixes. Both fixes (each release needs two fixes) need to be applied. A revised advisory can be found below, and at this link. http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&pid=94397&date=2006/10 Title: CAID 34693, 34694: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities (UPDATED) CA Vulnerability ID (CAID): 34693, 34694 CA Advisory Date: 2006-10-05 CA Revised Advisory Date: 2006-10-19 Discovered By: TippingPoint, www.zerodayinitiative.com Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains multiple buffer overflow conditions that allow remote attackers to execute arbitrary code with local SYSTEM privileges on Windows. These issues affect the BrightStor Backup Agent Service, the Job Engine Service, and the Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: - BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not have this vulnerability) - BrightStor ARCserve Backup r11.1 - BrightStor ARCserve Backup for Windows r11 - BrightStor Enterprise Backup 10.5 - BrightStor ARCserve Backup v9.01 CA Protection Suites r2: - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of the BrightStor ARCserve Backup products should upgrade to the latest versions which are available for download from http://supportconnect.ca.com. Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858 The original fixes did not completely resolve one of the vulnerabilities. Consequently, an additional fix needs to be applied. Please note that these do not replace the original fixes. Both fixes (each release needs two fixes) need to be applied. Solution Document Reference APARs: QO83306, QO83307, QO83308, QO83309 Determining if you are affected: For a list of updated files, and instructions on how to verify that the security update was fully applied, please review the Informational Solution referenced in the appropriate Solution Document. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup (Buffer Overrun) http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858, QO83306, QO83307, QO83308, QO83309 CA Security Advisor Research Blog postings: http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&pid=93775&date=2006/10 http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&pid=94397&date=2006/10 CAID: 34693, 34694 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694 Discoverer: TippingPoint http://www.tippingpoint.com/security/advisories/TSRT-06-11.html http://www.tippingpoint.com/security/advisories/TSRT-06-12.html http://www.zerodayinitiative.com/advisories/ZDI-06-030.html http://www.zerodayinitiative.com/advisories/ZDI-06-031.html CVE Reference: CVE-2006-5142, CVE-2006-5143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143 OSVDB References: OSVDB IDs: 29580, 29533, 29534, 29535 http://osvdb.org/29580 http://osvdb.org/29533 http://osvdb.org/29534 http://osvdb.org/29535 Changelog for this advisory: v1.0 - Initial Release v2.0 - Advisory updated: new fixes available that must be installed, IN ADDITION TO the original fixes, to properly resolve all of the vulnerability issues. Fixed incorrect blog link. Added OSVDB references. Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln@ca.com, or contact me directly. If you discover a vulnerability in CA products, please report your findings to vuln@ca.com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright © 2006 CA. All rights reserved.