Check Point Advisories

CA ARCserve D2D Axis2 Default Credentials Remote Code Execution (CVE-2010-0219)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-016
Date Published:	8 Feb 2011
Severity:	Critical
Last Updated:	Monday 17 December, 2018
Source:
Industry Reference:	CVE-2010-0219
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	CA ARCserve D2D is a disk-based backup solution that allows protecting and recovering business data on both physical and virtual servers. It includes a web 2.0 interface that proactively delivers updates. A remote code execution vulnerability has been reported in CA ARCserve D2D. The vulnerability is due to an authentication weakness in the Apache Axis component of the product. When the software is installed, default credentials are assigned to the Axis2 web services component. A remote attacker may leverage this issue to upload a malicious web service to a target system, enabling arbitrary code execution within the security context of an Axis2 web service.

Protection Overview

This protection will detect and block unauthorized attempts to connect to CA ARCserve D2D by default admin user.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the CA ARCserve D2D Axis2 Default Credentials Remote Code Execution protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: CA Products Enforcement Violation.
Attack Information: CA ARCserve D2D Axis2 default credentials remote code execution