Computer Associates International last week disclosed a major security flaw in its data backup software, and analysts said the problem is an example of the kind of vulnerabilities that are making storage software more attractive to malicious hackers.
CA released patches to fix what it described as a "critical" vulnerability in its BrightStor ARCserve agent software, which is used to back up and restore data between servers and storage devices.
The buffer-overflow flaw exists in multiple versions of ARCserve Backup and Enterprise Backup for Windows and could allow attackers to take control of systems, execute code or launch denial-of-service attacks, CA warned in a security advisory.
What makes the threat particularly potent is the fact that many companies use the vulnerable CA software on production servers, said Michael Sutton, director of vulnerability research at iDefense, a security threat assessment firm that was recently acquired by VeriSign.
Attackers who take advantage of the flaw could access any data on unprotected servers, Sutton said. iDefense was credited with discovering the BrightStor vulnerability.
Data backup products are becoming increasingly attractive and easy targets for hackers, said Alan Paller, director of research at the SANS Institute, an organisation that does security training and research.
SANS, which compiles a quarterly list of the top 20 Internet security threats, included several vulnerabilities in widely used data-backup products from CA and Symantec's Veritas unit on the list that it released last month for the second quarter.
Such vulnerabilities are sure to attract the attention of malicious hackers because data backup products grant access to virtually all of a company's data, Paller said. He added that operating systems, which have traditionally been the most popular targets, are becoming harder to hack, resulting in more of a focus on relatively less-protected application servers and storage technologies.
So far, there has been little evidence of vulnerabilities in data backup products being widely exploited, said Jon Oltsik, an analyst at Enterprise Strategy Group. But the existence of so many flaws in popular products is worrisome because storage teams often know little about security issues and don't adhere to corporate policies, he said. "Storage has always been designed for performance and availability, not security," Oltsik noted.