1. Introduction
BrightStor ARCserve Backup for Laptops & Desktops Server is a backup solution for remote Windows PCs. A service running on affected hosts allows remote administration via Server Explorer. This poses a risk as incoming traffic to this port isn’t restricted by default, potentially allowing unauthorised access. Successful exploitation could lead to data compromise or system control.
2. Technical Explanation
The ARCserve Backup for Laptops & Desktops Server Admin Service listens on a TCP port used for remote administration through the application’s Server Explorer. The service does not enforce strict access controls, meaning anyone who can reach the port may be able to administer the backup server remotely. There is no known CVE associated with this specific issue but it represents a general security risk due to open ports and lack of authentication. An attacker could connect to the port and potentially gain control over backups or the host system.
- Root cause: Insufficient access controls on the remote administration service.
- Exploit mechanism: An attacker connects to the exposed TCP port and attempts to administer the ARCserve Backup server remotely without authentication.
- Scope: Windows systems running BrightStor ARCserve Backup for Laptops & Desktops Server (formerly BrightStor Mobile Backup Server).
3. Detection and Assessment
You can confirm if a system is vulnerable by checking for the presence of the service and its listening port, then verifying network accessibility.
- Quick checks: Use Task Manager to check for running processes related to ARCserve Backup. Use
netstat -an | findstr(replace `` with the relevant port) in a command prompt to verify if the service is listening on the expected port. - Scanning: Nessus plugin ID 136284 can detect this service. This is an example only, and other scanners may also provide detection.
- Logs and evidence: Check Windows Event Logs for events related to ARCserve Backup Server administration or network connections on the relevant port.
netstat -an | findstr 135004. Solution / Remediation Steps
Limit incoming traffic to the port used by the ARCserve Backup for Laptops & Desktops Server Admin Service to only hosts that legitimately require access via Server Explorer.
4.1 Preparation
- Ensure you have network connectivity details for any legitimate Server Explorer clients. A roll back plan is to restore from the snapshot/backup and restart the service.
- Changes should be made during a scheduled maintenance window with appropriate approvals.
4.2 Implementation
- Step 1: Configure the Windows Firewall to allow incoming traffic on the ARCserve Backup port (typically TCP 13500) only from trusted IP addresses or network ranges. Use the following PowerShell command, replacing `
` with the allowed client’s IP and ` ` with the service’s port: New-NetFirewallRule -DisplayName "ARCserve Backup Port Restriction" -Direction Inbound -Protocol TCP -LocalPort.-RemoteAddress -Action Allow - Step 2: Verify that all other incoming traffic to the ARCserve Backup port is blocked by default using
Get-NetFirewallRule | Where-Object {$_.DisplayName -eq "ARCserve Backup Port Restriction"}.
4.3 Config or Code Example
Before
Get-NetFirewallRule | Where-Object {$_.DisplayName -eq "ARCserve Backup Port Restriction"}After
New-NetFirewallRule -DisplayName "ARCserve Backup Port Restriction" -Direction Inbound -Protocol TCP -LocalPort 13500 -RemoteAddress 192.168.1.100 -Action Allow4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of issue.
- Practice 1: Least privilege – restrict network access to only necessary IP addresses and ports.
- Practice 2: Network segmentation – isolate critical systems on separate networks to limit the blast radius of attacks.
4.5 Automation (Optional)
If you have many servers, use a configuration management tool like Ansible or PowerShell DSC to automate firewall rule creation and enforcement.
# Example PowerShell script snippet for multiple servers:
$servers = @("server1", "server2", "server3")
foreach ($server in $servers) {
Invoke-Command -ComputerName $server -ScriptBlock {
New-NetFirewallRule -DisplayName "ARCserve Backup Port Restriction" -Direction Inbound -Protocol TCP -LocalPort 13500 -RemoteAddress 192.168.1.100 -Action Allow
}
}5. Verification / Validation
Confirm the fix by verifying that only allowed IP addresses can connect to the ARCserve Backup port and that other connections are blocked.
- Post-fix check: Run
netstat -an | findstr(replace `` with the service’s port) and verify it is only listening on localhost or allowed IP addresses. - Re-test: Attempt to connect to the ARCserve Backup port from an unauthorized host. The connection should be refused.
- Smoke test: Verify that legitimate Server Explorer clients can still administer backups as expected.
- Monitoring: Monitor Windows Firewall logs for blocked connections on the ARCserve Backup port, which would indicate attempted unauthorised access.
netstat -an | findstr 135006. Preventive Measures and Monitoring
Regularly review firewall rules and security baselines to ensure they remain effective.
- Baselines: Update your security baseline or policy to include a requirement for restricting access to remote administration services like ARCserve Backup.
- Pipelines: Incorporate checks in CI/CD pipelines to validate firewall configurations during deployment.
- Asset and patch process: Implement a regular patch review cycle that includes checking for updates to ARCserve Backup Server.
7. Risks, Side Effects, and Roll Back
Incorrectly configured firewall rules could block legitimate access to the ARCserve Backup service.
- Roll back: Remove the newly created firewall rule using
Remove-NetFirewallRule -DisplayName "ARCserve Backup Port Restriction"and restore the service if stopped.
8. References and Resources
- Vendor advisory or bulletin: https://www.ca.com/us.html