A hole has been found in CA's BrightStor ARCserve backup product.

The US Computer Emergency Response Team (US-CERT) has posted details on its website.

The ARCserve Tape Engine component doesn't securely handle RPC (remote procedure call) requests with the result that a malicious attacker could send a malformed RPC request to port 6502/tpc on a system using ARCserve and then run arbitrary code with system privileges on that server. The Tape Engine (tapeeng.exe) weakness is due to a classic buffer overflow error.

Attackers could use the flaw to install and run malware on affected systems. The malware could be used for posting Spam messages or mounting denial of service attacks on websites.

Version 11.5 of ARCserve has been found to be vulnerable. Earlier versions may also be affected. CA is aware of the weakness and working on developing a fix. For the moment the only known way to block such attacks is by blocking port 6502/tcp.

A CA security advisory note plus a follow-up outlined earlier ARCserve security weaknesses in October. These concerned the BrightStor Backup Agent Service, the Job Engine Service, and the Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. CA issued patches to resolve these problems.

ARCserve was patched in August last year to repulse malware attacks. It was also patched after an earlier vulnerability was found in CA anti-virus software in May 2005.

Affected users of the latest vulnerability include those with some Iomega Storcenter network-attached storage (NAS) products. These employ ARCserve backup software.