CVE-2011-3011
published 2011-08-15CVE-2011-3011: BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute…
PriorityP261medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
72.26%
99.4th percentile
BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute arbitrary commands, via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ca | arcserve_d2d | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on cleartext credential disclosure in HTTP responses containing both '"user"' and '"password"' JSON keys from the CA ARCserve D2D web service on port 8014, indicating successful exploitation. ↗
- →After credential disclosure, the exploit chains into SMB/PsExec lateral movement on port 445 using harvested Windows Administrator credentials — correlate port 8014 exploitation with subsequent SMB activity to the same host. ↗
- →The vulnerability resides in BaseServiceImpl.class in CA ARCserve D2D r15; monitor for unauthenticated or session-less GWT RPC calls to the homepage servlet as an indicator of exploitation. ↗
- ·The disclosed credentials are Windows Administrator-level credentials, meaning successful exploitation grants full OS-level access — not just application access. ↗
- ·Credentials are returned in cleartext within the HTTP response body, making network-level interception (e.g., passive sniffing on port 8014) also a viable detection/collection vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)
exploitdb·2011-07-25
CVE-2011-3011 CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)
CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'CA Arcserve D2D GWT RPC Credential Information Disclosure',
'Description' => %q{
This module exploits an information disclosure vulnerability in the CA Arcserve
D2D r15 web server. The information disclosure can be triggered by sending a
specially crafted RPC request to the homepage servlet. This causes CA Arcserve to
disclosure the username and password in cleartext used for authentication. This
username and password pair are Windows credentials with Administrator access.
},
'Author' =>
[
'bannedit', # metasploit module
'rgod', # or
Metasploit
CA Arcserve D2D GWT RPC Credential Information Disclosure
metasploit
CA Arcserve D2D GWT RPC Credential Information Disclosure
CA Arcserve D2D GWT RPC Credential Information Disclosure
This module exploits an information disclosure vulnerability in the CA Arcserve D2D r15 web server. The information disclosure can be triggered by sending a specially crafted RPC request to the homepage servlet. This causes CA Arcserve to disclosure the username and password in cleartext used for authentication. This username and password pair are Windows credentials with Administrator access.
No writeups or analysis indexed.
http://securityreason.com/securityalert/8338http://www.securityfocus.com/archive/1/519234/100/0/threadedhttp://www.securityfocus.com/bid/48897https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7B7D3ACC0F-6C01-4BE2-B5C0-C430CEB45BE6%7Dhttp://securityreason.com/securityalert/8338http://www.securityfocus.com/archive/1/519234/100/0/threadedhttp://www.securityfocus.com/bid/48897https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7B7D3ACC0F-6C01-4BE2-B5C0-C430CEB45BE6%7D
2011-08-15
Published