SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   CA ARCserve Backup Vendors:   CA
ARCserveIT Storage Management Discloses Backup Account Password to Remote Users
SecurityTracker Alert ID:  1002419
SecurityTracker URL:  http://securitytracker.com/id/1002419
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 17 2001
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  
Version(s): ARCserve for NT, version 6.61 SP2a; also confirmed by another user in ARCserve 2000 Advanced Edition, v. 7.0, build 1050, SP2
Description:   A file sharing vulnerability has been reported in Computer Associates' ARCserveIT for Windows NT. The default installation creates a world-readable file that contains the backup account username and password.

It is reported that the default install of ARCserveIT for Microsoft Windows NT creates a hidden share ('ARCSERVE$') with share permissions that allow all users in a domain to map this share.

The software reportedly creates a file named 'aremote.dmp' within the share (ARCSERVE$\DR\<NAME of SERVER>\aremote.dmp). This file apparently contains the name of the NT account that runs the backup as well as the password for that account.

The vendor has reportedly been notified and will be making a patch available.
Impact:   A remote user can access a shared file that contains the backup account user name and password. This could be the administrator account if the backup is run from the administrator account.
Solution:   No solution was available at the time of this entry. The vendor is reportedly preparing patches.
Vendor URL:  www.ca.com/arcserveit/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (NT)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Patch Available) Re: ARCserveIT Storage Management Discloses Backup Account Password to Remote Users   (Marcus Bednorz <m.be@oevermann.de>)
A patch is available.


 Source Message Contents
Date:  Sun, 16 Sep 2001 00:27:07 -0400
Subject:  ARCserve 6.61 Share Access Vulnerability


I have found a vulnerability with ARCServe for NT 6.61 SP2a. I stumbled upon this while performing a vulnerability analysis. 

Details:

The default install of ARCServe for NT creates a hidden share on Windows NT machines when it is installed.

The name of this share is ARCSERVE$.

The permissions of the share allow all users in a domain to map this share. However, this is not the worst part.

Within the share is a file named aremote.dmp.  The full path is ARCSERVE$\DR\<NAME of SERVER>\aremote.dmp.

In the aremote.dmp file, the account name that runs the backup is in cleartext within this file.  Also, a little further
within the file, the password for the account is in cleartext.

Seeing as how the account that performs backups can access system files, this is very dangerous.  Some places run their
backups as the NT domain administrator account.

Fix:

CA has been notified and will be making a patch available to all customers.


Also, it _should_ be possible to change the share permissions, allowing only the backup account and the administrator access to the
 share.


I am not sure if this is in ARCServe 2000 or in releases prior, as I have not checked them.

- rdr


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC