* ____________________________________________________________________________ * * ID: 11 * PRODUCT: LEWSVR * RELEASE: 11.1 * DESC: WIN-SECURITY VULNERABILITY * SYSTEMS AFFECTED: WINDOWS * SOLUTION TEXT: PRODUCT: BAB for Laptops & Desktops Server RELEASE: 11.1 APAR #: QO91014 DATE: 20 SEP 2007 PROBLEM DESCRIPTION: WIN-SECURITY VULNERABILITY ---------------------------------------------------- This update addresses multiple vulnerabilities: 1. The server accepts connections with insufficient authentication verification. 2. Insufficient bounds checking during authentication can result in a buffer overflow. 3. Insufficient bounds checking during processing inbound commands can result in a buffer overflow. The buffer overflow vulnerabilities can allow a remote attacker to execute arbitrary code or cause a denial of service condition. Please note that this fix does not need to be applied to the client machines. PREREQS: QO83833 MPREREQS: None COREQS: None MCOREQS: None SUPERSEDED: None HYPER: YES DISTRIBUTION CODE: A (A=Available, I=Internal) PROBLEM RESOLUTION: Follow the instructions below: The following PREREQS must be applied before applying this fix: QO83833 This fix requires BrightStor ARCserve Backup for Laptops & Desktops version 11.1 to be installed. Install Instructions -------------------- 1. Unzip the fix file as follows: CAZIPXP -u QO91014.CAZ 2. Shutdown the BABLD11.1 Server 3. Apply the fix file as follows (selecting the "Apply PTF to local or remote nodes" option): APPLYPTF 1) Choose QO91014lewmgr.jcl file, run it 2) Choose QO91014lewsvr.jcl file, run it 4. Restart the BABLD11.1 Server. If you want to apply the fix manually, follow steps 1 and 2 above. 3. Rename BMBServerCLI.exe,rxRPC.dll,rxRPCstub.dll under x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server 4. Copy BMBServerCLI.exe,rxRPC.dll,rxRPCstub.dll to x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server 5. Rename BMBServerCLI.exe,rxRPCstub.dll under x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server Explorer 6. Copy BMBServerCLI.exe,rxRPCstub.dll to x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server Explorer 7. Restart the BABLD11.1 Server. ===================================================================== CAZIPXP.EXE can be found on web site: http://support.ca.com/ca_common_docs/latest_cazipxp.html <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> < To remove a fix applied via Applyptf: > < > < 1. Shutdown the BMB Server (including its service > < if you installed it as a service, using the WindowsNT/ > < Windows2000 Services control panel). > < > < 2. Go to "replaced\fix_name" directory under the component/image > < directory where "fix_name" is the fix to be backed out, > < > < 3. Copy files under the "fix_name" directory to the component/ > < image being sure to replace the files in the same directory > < structure as the replaced\fix_name directory > < > > < 4. Restart the BMB Server (using the Services > < control panel if you installed the Server as a service). > < > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> PRODUCT(S) AFFECTED: BrightStor ARCserve Backup for Laptops Release 11.0 CA Desktop Management Suite Release 11.1 DOWNLOAD INFORMATION: --------------------- NODE: ftp.ca.com PATH: /CAproducts/unicenter/BABLD/nt/SP2/QO91014 FILES: QO91014.DXJ QO91014.CAZ UPDATED ROUTINES: --------------- BMBServerCLI.exe 65536 MON JUN 18 14:32:16 2007 rxRPC.dll 114688 FRI JUL 20 17:25:24 2007 rxRPCstub.dll 53248 FRI JUL 20 17:25:28 2007 * ____________________________________________________________________________ * * WINDOWS VERSION: 0 EFFECTIVE: 09/05/2007 ACTION: A *** NO ZAPS FOR THIS VERSION ***