Exploits For CA Backup Bug Appear
"If you haven't already patched your BrightStor ARCserve Backup software, now would be a really good time," said an analyst with the Internet Storm Center on the organization's handler's diary. "At least three different exploit codes and the code for a scanner have now been released."
Symantec confirmed that exploits were in the wild in an update to its DeepSight Threat Management System alert on the CA ARCserve for Windows vulnerability.
"Two exploit programs have been released, by a security researcher known as 'cybertronic,' which simply send a port binding or connect back payload to a vulnerable system," said Symantec. "[And] the public availability of an exploit tool designed to scan for and exploit hosts increases the likelihood of widespread exploitation occurring.
"Network administrators are strongly urged to ensure TCP and UDP ports 6050 and 6070 are filtered at the network perimeter, and that patches are deployed as soon as possible," Symantec continued.
Although Symantec said that its global network of sensors had not detected an upswing in scanning for the affected ports -- 6050 and 6070 -- that attackers would use to exploit the vulnerability, the Internet Storm Center's own network saw a ten-fold increase Thursday in scanning reports on port 6070 over the previous day.
Compute Associates has patched the vulnerable versions of ARCserve and published a security advisory outlining the problem and offering links to the fixes.