Vulnerability Note VU#936363

CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability

Original Release date: 30 Oct 2012 | Last revised: 30 Oct 2012


The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a pre-authentication remote code execution vulnerability. Arbitrary code will run with NT AUTHORITY\SYSTEM privileges. CA ARCserve Backup r16 SP1 was reported to be vulnerable.


The Offensive Security advisory states:

By replacing a particular xdr_rwslist object expected in an RPC authentication packet (opcode 0x7a) with another xdr_rwobject, function sub_416E80 will call a non-existent or invalid virtual function (RWSlistCollectables::at) that can be controlled by the attacker. Authentication is not required to trigger the bug and successful exploitation of this vulnerability for the caauthd.exe process will lead to remote code execution with NT AUTHORITY\SYSTEM privileges. Failed exploitation will lead to a denial of service.

Additional details may be found in the full Offensive Security advisory and CA20121018-01: Security Notice for CA ARCserve Backup.


An unauthenticated attacker may be able to execute remote code with NT AUTHORITY\SYSTEM privileges.


Apply a Patch

    • CA ARCserve Backup for Windows r12.5 apply patch RO49917
    • CA ARCserve Backup for Windows r15 apply patch RO49916
    • CA ARCserve Backup for Windows r16 apply patch RO49750

If you cannot patch for whatever reason please consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CA TechnologiesAffected11 Jul 201231 Aug 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 7.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-2971
  • Date Public: 31 Aug 2012
  • Date First Published: 30 Oct 2012
  • Date Last Updated: 30 Oct 2012
  • Document Revision: 24


If you have feedback, comments, or additional information about this vulnerability, please send us email.