Date: 05 January 2011
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0009
Security Notice for CA ARCserve D2D
5 January 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CA ARCserve D2D r15
Publisher: CA
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Mitigation
Original Bulletin:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={26223DAB-1FA0-4EF9-864E-6CE3278FE503}
- --------------------------BEGIN INCLUDED TEXT--------------------
CA20101231-01: Security Notice for CA ARCserve D2D
Issued: December 31, 2010
CA Technologies support is alerting customers to a security risk with
CA ARCserve D2D. A vulnerability exists that can allow a remote
attacker to execute arbitrary code. CA has issued an Information
Solution to address the vulnerability.
The vulnerability is due to default vulnerabilities inherent in the
Tomcat and Axis2 3rd party software components. A remote attacker can
exploit the implementation to execute arbitrary code.
Risk Rating
High
Platform
Windows
Affected Products
CA ARCserve D2D r15
How to determine if the installation is affected
Using Windows Explorer, go to the directory
"\TOMCAT\webapps\WebServiceImpl", and look for the existence of a
folder called "axis2-web".
Solution
A permanent solution will be posted soon at
https://support.ca.com/
In the meantime, the following workaround can be implemented to
address the vulnerability.
1. Stop "CA ARCserve D2D Web Service" from service control manager.
2. Go to the directory "<D2D_HOME>\TOMCAT\webapps\WebServiceImpl",
and remove the folder "axis2-web".
3. Edit "<D2D_HOME>\TOMCAT\webapps\WebServiceImpl\WEB-INF\web.xml",
and remove the content of AxisAdminServlet's servlet and servlet
mapping.
The content to remove will look like the text below:
- <servlet>
<display-name>Apache-Axis Admin Servlet Web Admin</display-name>
<servlet-name>AxisAdminServlet</servlet-name>
<servlet-class>org.apache.axis2.transport.http.AxisAdminServlet</s
ervlet-class>
<load-on-startup>100</load-on-startup>
</servlet>
- <servlet-mapping>
<servlet-name>AxisAdminServlet</servlet-name>
<url-pattern>/axis2-admin/*</url-pattern>
</servlet-mapping>
4. Change the username and password parameters in the axis2.xml file
to stronger credentials that conform to your organization's
password policies.
"<D2D_HOME>\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml"
<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter>
5. Start "CA ARCserve D2D Web Service".
References
CVE-201X-XXXX - CVE Reference Pending
CA ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet
Code Execution Vulnerability Poc Dec 30 2010 11:04 a.m.
http://www.securityfocus.com/archive/1/515494/30/0/threaded
http://marc.info/?l=bugtraq&m=129373168501496&w=2
Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World
Accessible Servlet Code Execution Vulnerability Poc
http://retrogod.altervista.org/9sg_ca_d2d.html
Acknowledgement
rgod
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com.
If you discover a vulnerability in a CA Technologies product, please
report your findings to the CA Technologies Product Vulnerability
Response Team
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNI88e/iFOrG6YcBERAtGXAKCv/fzbxDIbFEXBgiMJ+BNt3HxJWwCgr2yJ
ouMItHM0yvPcgjHRf5CqLeg=
=KvlK
-----END PGP SIGNATURE-----
|