CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities

Title: CA20090615-01: CA ARCserve Backup Message Engine Denial of=20
Service Vulnerabilities

CA Advisory Reference: CA20090615-01

CA Advisory Date: 2009-06-15

Reported By: iViZ Security Research Team

Impact: A remote attacker can cause a denial of service.

Summary: CA ARCserve Backup contains multiple vulnerabilities in=20
the message engine that can allow a remote attacker to cause a=20
denial of service. CA has issued an update to address the=20
vulnerabilities. The vulnerabilities, CVE-2009-1761, occur due to=20
insufficient verification of data sent to the message engine. An=20
attacker can make requests that can cause the message engine to=20

Mitigating Factors: None

Severity: CA has given these vulnerabilities a Medium risk rating.

Affected Products:
CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r12.0 SP 1 Windows

Non-Affected Products:
CA ARCserve Backup r11.5 SP 4 Windows
CA ARCserve Backup r12.0 SP 2 Windows
CA ARCserve Backup r12.5

Affected Platforms:

Status and Recommendation:
CA has issued the following patches to address the vulnerabilities.

CA ARCserve Backup r12.0, r12.0 SP1 Windows:
Install Service Pack 2 RO08383.

How to determine if the installation is affected:

CA ARCserve Backup r12.0, r12.0 SP1 Windows:
   1. Run the ARCserve Patch Management utility. From the Windows=20
      Start menu, the program can be found under=20
      Programs->CA->ARCserve Patch Management->Patch Status.
   2. The main patch status screen will indicate if the patch in=20
      the below table is applied. If the patch is not applied,=20
      then the installation is vulnerable.

Product                                          Patch

CA ARCserve Backup r12.0, r12.0 SP1 Windows      RO08383

For more information on the ARCserve Patch Management utility,=20
read document TEC446265.

As a workaround solution, disable the Apache HTTP Server with the=20
"stopgui" command. To re-enable the server, run "startgui".

Stopping the Apache HTTP Server will prevent the ARCserve user=20
from performing GUI operations. Most of the operations provided by=20
the GUI can be accomplished via the command line.

Alternatively, restrict remote network access to reduce exposure.

References (URLs may wrap):
CA Support:
CA20090615-01: Security Notice for CA ARCserve Backup Message=20
Solution Document Reference APARs:
RO08383, TEC446265
CA Security Response Blog posting:
CA20090615-01: CA ARCserve Backup Message Engine Denial of Service=20
Reported By:=20
iViZ Security Research Team
CVE References:
OSVDB References: Pending

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA
Technical Support at

For technical questions or comments related to this advisory,=20
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your=20
findings to the CA Product Vulnerability Response Team.

Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team

CA, 1 CA Plaza, Islandia, NY 11749
Legal Notice
Privacy Policy
Copyright (c) 2009 CA. All rights reserved.