CA ARCserve Backup for Laptops and Desktops LGServer Handshake Buffer Overflow Assurent ID: FSC20080731-12 1. Affected Software CA ARCserve Backup for Laptops and Desktops version r11.5 CA ARCserve Backup for Laptops and Desktops version r11.1 SP2 CA ARCserve Backup for Laptops and Desktops version r11.1 SP1 CA ARCserve Backup for Laptops and Desktops version r11.1 CA ARCserve Backup for Laptops and Desktops version r11.0 CA Desktop Management Suite version 11.2 CA Desktop Management Suite version 11.1 CA Protection Suites version r2 CA Protection Suites version 3.0 CA Protection Suites version 3.1 Reference: http://ca.com/smb/product.aspx?id=5286 2. Vulnerability Summary There exists a buffer overflow vulnerability in the way CA ARCserve Backup for Laptops and Desktops handles incoming messages. The vulnerability is due to an integer underflow in the LGServer service. 3. Vulnerability Analysis A remote unauthenticated attacker may exploit the vulnerability by sending a malicious request to LGServer service on TCP port 1900. Successful exploitation would allow the attacker to cause a denial of service condition, potentially inject and execute arbitrary code with privileges of the affected service. 4. Vulnerability Detection Assurent has confirmed the vulnerability in: CA ARCserve Backup for Laptops and Desktops version r11.5 CA ARCserve Backup for Laptops and Desktops version r11.1 SP2 CA ARCserve Backup for Laptops and Desktops version r11.1 SP1 CA ARCserve Backup for Laptops and Desktops version r11.1 CA ARCserve Backup for Laptops and Desktops version r11.0 CA Desktop Management Suite version 11.2 CA Desktop Management Suite version 11.1 CA Protection Suites version r2 CA Protection Suites version 3.0 CA Protection Suites version 3.1 5. Workaround Apply the vendor patch or block communication from untrusted networks to affected assets. 6. Vendor Response CA has released a bulletin addressing this vulnerability. Reference: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181721 7. Disclosure Timeline 2008-05-30 Reported to vendor 2008-05-30 Initial vendor response 2008-07-31 Coordinated public disclosure 8. Credits Vulnerability Research Team, Assurent Secure Technologies, a TELUS company 9. References CVE: CVE-2008-3175 Vendor: 181721 10. About Assurent VRS Assurent's Vulnerability Research Service (VRS) for security product vendors, and Threat Protection Programs (TPP) for MSPs and enterprise security teams, help to eliminate the significant costs incurred by security product vendors, MSPs, and enterprise security teams in responding to and managing critical new security vulnerabilities and other threats including worm & virus outbreaks and high-risk spyware. The VRS and TPP services are real-time feeds providing subscribers with detailed analysis of the top security vulnerabilities, focused on the specific needs of each group of customers. http://www.assurent.com/