CA Backup Message Engine DoS
03/26/2020 
3 
10585
DESCRIPTION:
CA Backup Message Engine DoS
RESOLUTION:
CA Backup Message Engine DoS (June 25, 2009)
The CA ARCserve Backup products offer data protection for distributed servers, clients, databases and applications. They offer centralized control over backup and restore operations among other services.
CA ARCserve Backup Message Engine is one of the services provided by BrightStor ARCserve Backup products. The engine accepts DCE-RPC messages on port TCP/6503 by default. DCE-RPC messages exchanged on the said port have the following common format:
Offset Size Description
------- ----- ----------------------------------
0x0000 1 Major Version, 0x05
0x0001 1 Minor Version, 0x00
0x0002 1 Packet Type, 0 for Request Packet
0x0003 1 Packet Flags, 0x80 for UUID set
0x0004 4 Data Representation
0x0008 2 Frag Length, N
0x000A 2 Auth Length
0x000C 4 Call ID
0x0010 N-16 type-specific data
A type 0 packet (request) has the following format inside the type-specific data portion:
Offset Size Description
------- ----- ----------------------------------
0x0000 4 Alloc hint
0x0004 2 Context ID
0x0006 2 opcode
0x0008 N-24 Stub Data
The opcode field represents the RPC operation number. The Stub Data field contains the arguments passed to the called RPC method. The structure of the Stub Data field is opcode specific and in this case defined by the vendor, CA. It has been determined that RPC messages having opcode 0x13 have the following structure:
long (
[in] long arg_1,
[in] short arg_2,
[in][size_is(65536), length_is(65536)] char * arg_3,
[in] long arg_4,
[out] long * arg_5
);
A denial of service vulnerability exists in the CA ARCserve Backup Message Engine. The vulnerability is due to insufficient checks on user supplied parameters when handling opcode 0x13 RPC messages. When both arg_1 and arg_4 are set to 1, and arg_3 is a string 65536 characters long, the vulnerable code will end up referencing a null pointer. That causes a memory access violation which results in the termination of the CA ARCserve Backup Message Engine. This attack may be performed by unauthenticated remote users.
SonicWall has released an IPS signature which will detect and block generic attack attempts targeting this vulnerability. The following signature was released to address this issue.
- 2118 - CA ARCserve Backup Message Engine DoS
Click
here to read the complete security alert from SonicWall Security Centre.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
