Published: March 28 2008, 08:39 AM | no comments
by Ken Williams

On March 28th, 2008 CA published a security notice to address a vulnerability in CA products that implement the DSM ListCtrl ActiveX control.

Title: CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability

CVE: CVE-2008-1472

CA Advisory Date: 2008-03-28

Reported By: Exploit code posted at milw0rm.com

Impact: A remote attacker can cause a denial of service or execute arbitrary code.

Summary: CA products that implement the DSM ListCtrl ActiveX control are vulnerable to a buffer overflow condition that can allow a remote attacker to cause a denial of service or execute arbitrary code with the privileges of the user running the web browser. The vulnerability, CVE-2008-1472, is due to insufficient bounds checking on the ListCtrl AddColumn function.

Mitigating Factors: For BrightStor ARCserve Backup for Laptops & Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and agents are not affected.

Severity: CA has given this vulnerability a maximum risk rating of High.

Affected Products:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)

Affected Platforms:
Windows

Status and Recommendation:
CA has provided the following updates to address the vulnerabilities.

BrightStor ARCserve Backup for Laptops and Desktops r11.5:
QO96102

CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1):
QO96088

CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a:
QO96092

CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2:
QO96091

CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1:
QO96090

How to determine if you are affected:
For products on Windows:
   1. Using Windows Explorer, locate the file "ListCtrl.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory.
   2. Right click on the file and select Properties.
   3. Select the Version tab.
   4. If the file version is earlier than indicated in the below table, the installation is vulnerable.

Product:
   CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
   Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
   Unicenter Asset Management r11.1 (GA, a, C1),
   Unicenter Software Delivery r11.1 (GA, a, C1),
   Unicenter Remote Control r11.1 (GA, a, C1)
File Name: ListCtrl.ocx
File Version: 11.1.8124.0

Product:
   CA Desktop Management Suite for Windows r11.2,
   Unicenter Desktop Management Bundle r11.2,
   Unicenter Asset Management r11.2,
   Unicenter Software Delivery r11.2,
   Unicenter Remote Control r11.2    
File Name: ListCtrl.ocx    
File Version: 11.2.1000.16

Product:
   CA Desktop Management Suite for Windows r11.2a,
   Unicenter Desktop Management Bundle r11.2a,
   Unicenter Asset Management r11.2a,
   Unicenter Software Delivery r11.2a,
   Unicenter Remote Control r11.2a
File Name: ListCtrl.ocx
File Version: 11.2.1000.16

Product:
   CA Desktop Management Suite for Windows r11.2 C1,
   Unicenter Desktop Management Bundle r11.2 C1,
   Unicenter Asset Management r11.2 C1,
   Unicenter Software Delivery r11.2 C1,
   Unicenter Remote Control r11.2 C1,
   BrightStor ARCserve Backup for Laptops and Desktops r11.5
File Name: ListCtrl.ocx    
File Version: 11.2.1000.16

Workaround:
As a temporary workaround solution, disable the ListCtrl ActiveX control in the registry by setting the kill bit on CLSID {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}. Disabling the control may prevent the GUI from functioning correctly. Refer to Microsoft KB article 240797 <http://support.microsoft.com/kb/240797> for information on how to disable an ActiveX control.

References (URLs may wrap):
CA SupportConnect:
http://support.ca.com/
CA products using the DSM ListCtrl ActiveX Control Security Notice
https://support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/common/DSM_ListCtr_secnot.html
Solution Document Reference APARs:
QO96102, QO96088, QO96092, QO96091, QO96090
CA Security Response Blog posting:
CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/3/28.aspx
Reported By:
Exploit code posted at milw0rm.com
CVE References:
CVE-2008-1472 - DSM ListCtrl ActiveX control AddColumn buffer overflow
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1472
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please email your findings to vuln AT ca DOT com.

Share this post:  Email

Share

Published: March 20 2008, 10:12 AM | no comments
by Ken Williams

CA is reviewing exploit code that was posted on 2008-03-16 to the Milw0rm exploit archive web site.  This exploit code is potentially associated with vulnerabilities that may exist in CA BrightStor ARCserve Backup for Laptops and Desktops and/or related products.  CA will issue an advisory after we have completed our initial investigation.

Share this post:  Email

Share

Published: March 03 2008, 09:43 AM | no comments
by Ken Williams

When warning customers, friends, and family about the dangers cybercrime, they usually accuse me of exaggerating the severity of internet related criminal activity.  They think I'm sensationalizing an "epidemic" that, in reality, isn't very organized or pervasive.  The truth though is that cybercrime is very mature, very businesslike, and more of a threat than ever before.  A perfect example of the maturity of internet crime is the Russian Business Network (RBN).  The RBN is a subject that is still more or less well known only to security industry practitioners.  The Shadowserver Foundation, an internet security watchdog group, published a whitepaper last week entitled "RBN 'Rizing' - Abdallah Internet Hizmetleri".  This whitepaper is a follow-up to their first paper on the RBN: "RBN As a Business Network - Clarifying the guesswork of Criminal Activity".

In addition to the great research published by Shadowserver, I also recommend this blog about the RBN and of course the Wikipedia page for the Russian Business Network.

Share this post:  Email

Share