Vulnerability Note VU#936363
CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability
The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a pre-authentication remote code execution vulnerability. Arbitrary code will run with NT AUTHORITY\SYSTEM privileges. CA ARCserve Backup r16 SP1 was reported to be vulnerable.
The Offensive Security advisory states:
By replacing a particular xdr_rwslist object expected in an RPC authentication packet (opcode 0x7a) with another xdr_rwobject, function sub_416E80 will call a non-existent or invalid virtual function (RWSlistCollectables::at) that can be controlled by the attacker. Authentication is not required to trigger the bug and successful exploitation of this vulnerability for the caauthd.exe process will lead to remote code execution with NT AUTHORITY\SYSTEM privileges. Failed exploitation will lead to a denial of service.
An unauthenticated attacker may be able to execute remote code with NT AUTHORITY\SYSTEM privileges.
Apply a Patch
If you cannot patch for whatever reason please consider the following workarounds.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|CA Technologies||Affected||11 Jul 2012||31 Aug 2012|
CVSS Metrics (Learn More)
Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2012-2971
- Date Public: 31 Aug 2012
- Date First Published: 30 Oct 2012
- Date Last Updated: 30 Oct 2012
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.