CA Backup Message Engine DoS (June 25, 2009)

The CA ARCserve Backup products offer data protection for distributed servers, clients, databases and applications. They offer centralized control over backup and restore operations among other services.

CA ARCserve Backup Message Engine is one of the services provided by BrightStor ARCserve Backup products. The engine accepts DCE-RPC messages on port TCP/6503 by default. DCE-RPC messages exchanged on the said port have the following common format:

 Offset  Size  Description ------- ----- ---------------------------------- 0x0000  1     Major Version, 0x05 0x0001  1     Minor Version, 0x00 0x0002  1     Packet Type, 0 for Request Packet 0x0003  1     Packet Flags, 0x80 for UUID set 0x0004  4     Data Representation 0x0008  2     Frag Length, N 0x000A  2     Auth Length 0x000C  4     Call ID 0x0010  N-16  type-specific data

A type 0 packet (request) has the following format inside the type-specific data portion:

 Offset  Size Description ------- ----- ---------------------------------- 0x0000  4     Alloc hint 0x0004  2     Context ID 0x0006  2     opcode 0x0008  N-24  Stub Data

The opcode field represents the RPC operation number. The Stub Data field contains the arguments passed to the called RPC method. The structure of the Stub Data field is opcode specific and in this case defined by the vendor, CA. It has been determined that RPC messages having opcode 0x13 have the following structure:

 long (   [in] long arg_1,   [in] short arg_2,   [in][size_is(65536), length_is(65536)] char * arg_3,   [in] long arg_4,   [out] long * arg_5 );

A denial of service vulnerability exists in the CA ARCserve Backup Message Engine. The vulnerability is due to insufficient checks on user supplied parameters when handling opcode 0x13 RPC messages. When both arg_1 and arg_4 are set to 1, and arg_3 is a string 65536 characters long, the vulnerable code will end up referencing a null pointer. That causes a memory access violation which results in the termination of the CA ARCserve Backup Message Engine. This attack may be performed by unauthenticated remote users.

SonicWALL has released an IPS signature which will detect and block generic attack attempts targeting this vulnerability. The following signature was released to address this issue.

• 2118 – CA ARCserve Backup Message Engine DoS

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.