CVE-2001-0960 in ARCserve Backup
Summary
by MITRE
Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 stores the backup agent user name and password in cleartext in the aremote.dmp file in the ARCSERVE$ hidden share, which allows local and remote attackers to gain privileges.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/01/2025
The vulnerability identified as CVE-2001-0960 represents a critical security flaw in Computer Associates ARCserve backup software versions 6.61 SP2a for NT and 7.0 for ARCserve 2000. This weakness stems from the improper handling of authentication credentials within the software's architecture, specifically affecting the backup agent's credential storage mechanism. The vulnerability manifests when the system stores sensitive user authentication information in an unencrypted format within the aremote.dmp file, which is subsequently exposed through the ARCSERVE$ hidden share. This configuration creates a persistent security risk that affects both local and remote threat actors who can exploit this flaw to access system resources.
The technical implementation of this vulnerability involves the insecure storage of backup agent credentials in cleartext format within a specific file location. The aremote.dmp file serves as a critical point of failure because it contains sensitive authentication data that should normally be protected through encryption or secure storage mechanisms. When this file is placed within the ARCSERVE$ hidden share, it becomes accessible to any entity that can authenticate to the system, effectively removing the protection layer that should normally safeguard these credentials. The cleartext storage approach directly violates fundamental security principles and creates a situation where attackers can immediately extract valid authentication information without requiring additional exploitation techniques.
From an operational perspective, this vulnerability enables attackers to escalate privileges and gain unauthorized access to backup systems and potentially underlying network resources. The local attack vector allows users with access to the system to read the cleartext credentials directly from the file system, while the remote attack capability extends this threat to external adversaries who can access the ARCSERVE$ share over the network. This dual attack surface significantly increases the exploitability of the vulnerability and creates a persistent threat that can be leveraged for extended periods without detection. The impact extends beyond simple credential theft, as these credentials can provide access to backup repositories that may contain sensitive organizational data.
The vulnerability aligns with CWE-312 (Cleartext Storage of Sensitive Information) and represents a classic example of poor credential management practices within enterprise backup solutions. From an ATT&CK framework perspective, this vulnerability maps to multiple techniques including credential access through file system access and privilege escalation through credential reuse. The attack surface is further expanded by the fact that backup systems often contain privileged credentials for accessing various network resources, making this vulnerability particularly dangerous in enterprise environments where backup systems typically have elevated access rights to critical infrastructure.
Mitigation strategies for CVE-2001-0960 should focus on immediate remediation through software updates and patches provided by Computer Associates. Organizations must implement proper access controls on the ARCSERVE$ share to restrict unauthorized access to the aremote.dmp file, while also ensuring that backup credentials are properly encrypted and stored using secure methods. Network segmentation and monitoring should be implemented to detect unauthorized access attempts to backup system shares. Additionally, security teams should conduct comprehensive audits of all backup systems to identify similar credential storage vulnerabilities and implement proper credential management practices that adhere to industry standards such as those outlined in NIST SP 800-53 for secure credential handling. Regular security assessments of backup infrastructure should be conducted to prevent similar vulnerabilities from being introduced through configuration errors or software misconfigurations.