search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability

Vulnerability Note VU#936363

Original Release Date: 2012-10-30 | Last Revised: 2012-10-30


The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a pre-authentication remote code execution vulnerability. Arbitrary code will run with NT AUTHORITY\SYSTEM privileges. CA ARCserve Backup r16 SP1 was reported to be vulnerable.


The Offensive Security advisory states:

By replacing a particular xdr_rwslist object expected in an RPC authentication packet (opcode 0x7a) with another xdr_rwobject, function sub_416E80 will call a non-existent or invalid virtual function (RWSlistCollectables::at) that can be controlled by the attacker. Authentication is not required to trigger the bug and successful exploitation of this vulnerability for the caauthd.exe process will lead to remote code execution with NT AUTHORITY\SYSTEM privileges. Failed exploitation will lead to a denial of service.

Additional details may be found in the full Offensive Security advisory and CA20121018-01: Security Notice for CA ARCserve Backup.


An unauthenticated attacker may be able to execute remote code with NT AUTHORITY\SYSTEM privileges.


Apply a Patch

    • CA ARCserve Backup for Windows r12.5 apply patch RO49917
    • CA ARCserve Backup for Windows r15 apply patch RO49916
    • CA ARCserve Backup for Windows r16 apply patch RO49750

If you cannot patch for whatever reason please consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information

Affected   Unknown   Unaffected

CA Technologies

Notified:  July 11, 2012 Updated:  August 31, 2012



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 7.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-2971
Date Public: 2012-08-31
Date First Published: 2012-10-30
Date Last Updated: 2012-10-30 20:06 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.