Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

CA Faces Backup Flaw

Tape security flaw in CA's BrightStor ARCserve could open users to DOS attacks



Officials at the U.S. Computer Emergency Readiness Team (US-CERT) have identified a security vulnerability in CA's widely OEM'd BrightStor ARCserve Backup product, which they warn could leave users' systems open to attack.

Officials say that the flaw affects the software's Tape Engine feature, which allows ARCserve Backup products to use tape drives for storage. According to US-Cert, the tape engine contains a vulnerability that is caused by incorrect handling of Remote Procedure Call (RPC) requests, which allow programs to request services across a network.

CERT's Website warns that the vulnerability could be exploited by sending a malformed RPC request to port 6502/tcp on a vulnerable system. In the worst case scenario, officials add, a hacker could use this flaw to execute code on users' systems, which often results in a denial-of-service (DOS) attack. (See Symantec Tracks Cybercrime Rise, Check Point Protects Against BGP DOS , and Cisco Unveils DDOS Protection Solution.)

DOS attacks continue to wreak havoc amongst users. (See Symantec Tracks Cybercrime Rise, and Massive DOS Attacks Against ISPs on the Rise.) Earlier this year, for example, Sun's on-demand grid computing service got smacked with a DOS attack on its first day of service. (See Sun Grid Weathers DOS Attack and Sun Unveils Grid Portal.)

The vendor says that it is looking into the problem. "CA is aware of a vulnerability report describing a remotely exploitable buffer overflow in the Tape Engine component of CA BrightStor ARCserve Backup," explained spokesman Michael Kornspan in an email. The company continues to investigate; there is no word on when a patch might be issued. "Once we conclude our investigation and verify the reported vulnerability, we will provide remediation."

CA has several OEM partners for its ARCserve Backup product. The software, for example, is bundled with Iomega's REV SBS Data Protection offering, and has also been integrated with NEC's ExpressCluster solution. (See Iomega Creates Bundle and Iomega Ships With CA .)

Earlier this year, CA snapped up application availability specialist XOsoft for a reported $100 million in an attempt to boost its data protection story. (See CA Buys XOsoft.) The acquisition was partly driven by CA's desire to integrate XOsoft with ARCserve Backup for protecting and recovering critical applications (See Storage Shopping Spree.)

At least one analyst is urging CA to tackle the reported backup flaw as a matter of urgency. "It's something that CA should be addressing and issuing a patch for right away," says Mike Karp, senior analyst at Enterprise Management Associates, adding that the vulnerability represents yet another tape technology challenge.

"To me, it's a symptom of the fundamental problem of transferring data to tape," he told Byte & Switch. "The trail of custody on tapes is always bad," added Karp, highlighting the high-profile storage snafus at Time Warner and Iron Mountain. (See Tape Security Trips Up Users, A Tale of Lost Tapes, and Iron Mountain Keeps Truckin'.)

Until the flaw is fixed, CERT is urging users to focus attention on their firewalls in an attempt to tackle the ARCserve flaw. "Restricting access to port 6502/tcp at the network perimeter may mitigate the impact of this vulnerability," warns the agency in a note on its Web site. The scope of the vulnerability may also extend across different versions of ARCserve Backup, according to CERT.

The SANS Institute has warned that hackers are increasingly targeting weaknesses in backup and recovery applications. According to analysts, vulnerabilities could be exploited to attack systems running backup servers and clients, which opens up the possibility of an attacker gaining access to sensitive backed-up data. (See Backup Poses Risk, SANS Warns.)

— James Rogers, Senior Editor, Byte and Switch

  • CA Inc. (NYSE: CA)
  • CA XOsoft
  • Computer Emergency Response Team (CERT)
  • Enterprise Management Associates
  • Iomega Corp. (NYSE: IOM)
  • Iron Mountain Inc. (NYSE: IRM)
  • NEC Corp. (Nasdaq: NIPNY; Tokyo: 6701)
  • The SANS Institute
  • Time Warner Inc. (NYSE: TWX)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Overcoming the Challenge of Shorter Certificate Lifespans
    Mike Cooper, Founder & CEO of Revocent,  10/15/2020
    7 Tips for Choosing Security Metrics That Matter
    Ericka Chickowski, Contributing Writer,  10/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27605
    PUBLISHED: 2020-10-21
    BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
    CVE-2020-27606
    PUBLISHED: 2020-10-21
    BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
    CVE-2020-27607
    PUBLISHED: 2020-10-21
    In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
    CVE-2020-27608
    PUBLISHED: 2020-10-21
    In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
    CVE-2020-27609
    PUBLISHED: 2020-10-21
    BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.