The vulnerability lies in CA's BrightStor ARCserve Backup Agents and BrightStor Enterprise Backup Agents, according to an alert from the French Security Incident Response Team released on Wednesday. The software handles backups of critical systems, FrSirt said.
CA issued software patches to fix the problem on Tuesday.
With the flaw, an intruder could gain full control over the system that runs the backup software by sending an especially crafted request to the agent, said FrSirt, which rates the issue "critical." Code that exploits the flaws is available on the Internet, the French research organisation noted.
Data backup tools have become easy targets for attackers, the SANS Institute said in its most recent quarterly security update. Serious security vulnerabilities have been disclosed in products from CA and Veritas in recent months, SANS said.
The BrightStor problem is caused by a remote buffer overflow error in the CA software, according to an advisory from iDefense, which is credited with the discovery of the flaw. Users should apply the fixes or, as a work-around, restrict access to the backup agents from remote networks, iDefense said.
