In the past few months, the folks at LSsecurity have found and disclosed several buffer overflows in the CA BrightStor product lines. These are all remotely exploitable vulnerabilities, and exploit code has been released for several of these issues, including CVE-2006-5143 describing issues in msgeng.exe on TCP port 6503, and CVE-2006-6076 for issues in the Tape Engine (tapeeng.exe) code in omputer Associates BrightStor ARCserve Backup 11.5, over TCP port 6502. The vendor has released patches for all of these disclosed issues, everyone using BrightStor should update ASAP.
In the past 24 hours we started to see scans for this service (TCP port 6503), coming from only a handful of sources. This is one of the new additions to the top ten scanned service we’ve been tracking, with the usual culprits still present, including various Microsoft Windows file sharing ports, MS SQL ports (UDP 1434 and TCP port 1433), and VNC, all probably related to bot and SQLSlammer scanning. It’s only a fraction of the day’s scanning activity (about 1% by byte count), but this is probably the tip of the iceberg. I don’t know if this exploit has been rolled into a bot yet, but it wouldn’t surprise me to see this happen soon.