Published: April 24 2008, 04:27 PM | no comments
by Ken Williams

The Full-Disclosure mailing list is good for interesting, and often humorous, content on a daily basis.  The highlight of the week last week was a link to a paper entitled "Automatic Patch-Based Exploit Generation", by David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng.  From the abstract ... "In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update. [...] Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds. Coupled with a worm, all vulnerable hosts could be compromised before most are even aware a patch is available, let alone download it."  2008 is going to be an interesting year for security enthusiasts.

Edited to add:  Halvar.Flake has a blog post with very insightful commentary on the paper. 

 

Published: April 21 2008, 07:10 PM | no comments
by Ken Williams

CA is currently investigating vulnerability reports concerning CA ARCserve Backup r12 and CA Secure Content Manager r8 that were published publicly on 4/17/08 and 4/18/08 respectively. CA will issue an advisory if and when the reports have been verified. 

Published: April 16 2008, 11:34 AM | no comments
by Ken Williams

On April 15th, 2008 CA published a security notice to address a vulnerability in CA products that implement the DSM gui_cm_ctrls ActiveX control.

 

Title: CA DSM gui_cm_ctrls ActiveX Control Vulnerability

 

CA Advisory Date: 2008-04-15

 

Reported By: Greg Linares of eEye Digital Security

 

Impact: A remote attacker can execute arbitrary code or cause a denial of service condition.

 

Summary: CA products that implement the DSM gui_cm_ctrls ActiveX control contain a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. The vulnerability, CVE-2008-1786, is due to insufficient verification of function arguments by the gui_cm_ctrls control. An attacker can execute arbitrary code under the context of the user running the web browser.

 

Mitigating Factors: For BrightStor ARCserve Backup for Laptops & Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and Agents are not affected.

 

Severity: CA has given these vulnerabilities a maximum risk rating of High.

 

Affected Products:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C2
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C2
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C2
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C2
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C2
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
CA Desktop and Server Management r11.2 C2
CA Desktop and Server Management r11.2 C1
CA Desktop and Server Management r11.2a
CA Desktop and Server Management r11.2
CA Desktop and Server Management r11.1 (GA, a, C1)

 

Affected Platforms:
Windows

 

Status and Recommendation:

CA has provided the following updates to address the vulnerabilities.

BrightStor ARCserve Backup for Laptops and Desktops r11.5:
QI96333

CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1):
QO96283

CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a:
QO96286

CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2:
QO96285

CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1:
QO96284

CA Desktop Management Suite for Windows r11.2 C2,
Unicenter Desktop Management Bundle r11.2 C2,
Unicenter Asset Management r11.2 C2,
Unicenter Software Delivery r11.2 C2,
Unicenter Remote Control r11.2 C2:
QO99084

CA Desktop and Server Management r11.2 C2:
QO99080

CA Desktop and Server Management r11.2 C1:
QO96288

CA Desktop and Server Management r11.2a:
QO96290

CA Desktop and Server Management r11.2:
QO96289

CA Desktop and Server Management r11.1 (GA, a, C1):
QO96287

 

How to determine if you are affected:

For products on Windows:
1. Using Windows Explorer, locate the file “gui_cm_ctrls.ocx”. By default, the file is in the “C:\Program Files\CA\DSM\bin\” directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the list below, the installation is vulnerable.

Product	File Name	File Version
CA Desktop Management Suite for Windows r11.1 (GA, a, C1), Unicenter Desktop Management Bundle r11.1 (GA, a, C1), Unicenter Asset Management r11.1 (GA, a, C1), Unicenter Software Delivery r11.1 (GA, a, C1), Unicenter Remote Control r11.1 (GA, a, C1), CA Desktop and Server Management r11.1 (GA, a, C1)	gui_cm_ctrls.ocx	11.1.8124.2517
CA Desktop Management Suite for Windows r11.2, Unicenter Desktop Management Bundle r11.2, Unicenter Asset Management r11.2, Unicenter Software Delivery r11.2, Unicenter Remote Control r11.2, CA Desktop and Server Management r11.2	gui_cm_ctrls.ocx	11.2.2.4332
CA Desktop Management Suite for Windows r11.2a, Unicenter Desktop Management Bundle r11.2a, Unicenter Asset Management r11.2a, Unicenter Software Delivery r11.2a, Unicenter Remote Control r11.2a, CA Desktop and Server Management r11.2a	gui_cm_ctrls.ocx	11.2.3.1896
CA Desktop Management Suite for Windows r11.2 C1, Unicenter Desktop Management Bundle r11.2 C1, Unicenter Asset Management r11.2 C1, Unicenter Software Delivery r11.2 C1, Unicenter Remote Control r11.2 C1, BrightStor ARCserve Backup for Laptops and Desktops r11.5, CA Desktop and Server Management r11.2 C1	gui_cm_ctrls.ocx	11.2.1000.17
CA Desktop Management Suite for Windows r11.2 C2, Unicenter Desktop Management Bundle r11.2 C2, Unicenter Asset Management r11.2 C2, Unicenter Software Delivery r11.2 C2, Unicenter Remote Control r11.2 C2, CA Desktop and Server Management r11.2 C2	gui_cm_ctrls.ocx	11.2.2000.4

 

Workaround: As a temporary workaround solution, disable the gui_cm_ctrls ActiveX control in the registry by setting the kill bit on CLSID {E6239EB3-E0B0-46DA-A215-CFA9B3B740C5}. Disabling the control may prevent the GUI from functioning correctly. Refer to Microsoft KB article 240797 for information on how to disable an ActiveX control.

 

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA products using the DSM gui_cm_ctrls ActiveX control
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=174256
Solution Document Reference APARs:
QI96333, QO96283, QO96286, QO96285, QO96284, QO99084, QO99080, QO96288, QO96290, QO96289, QO96287
CA Security Response Blog posting:
CA DSM gui_cm_ctrls ActiveX Control Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/16/[...]vulnerability.aspx
Reported By:
Greg Linares of eEye Digital Security
CVE Reference:
CVE-2008-1786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1786
OSVDB References: Pending
http://osvdb.org/

 

Changelog for this advisory:
v1.0 - Initial Release

 

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.

URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Published: April 04 2008, 08:47 AM | no comments
by Ken Williams

On April 3rd, 2008, CA published a security notice to address multiple vulnerabilities in CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite.

 

Title: CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities

CA Advisory Date: 2008-04-03

Reported By: Dyon Balding of Secunia Research

Impact: A remote attacker can execute arbitrary code or cause a denial of service condition.

Summary: CA ARCserve Backup for Laptops and Desktops Server contains multiple vulnerabilities that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities. The first issue, CVE-2008-1328, occurs due to insufficient bounds checking on command arguments by the LGServer service. The second issue, CVE-2008-1329, occurs due to insufficient verification of file uploads by rxRPC.dll. In most cases, an attacker can potentially gain complete control of an affected installation. Additionally, only a server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected.

Note: the previously published patches for CVE-2007-3216 and CVE-2007-5005 did not fully address some issues.

Mitigating Factors: Client installations are not affected.

Severity: CA has given these vulnerabilities a maximum risk rating of High.

Affected Products:
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1
CA ARCserve Backup for Laptops and Desktops r11.1
CA ARCserve Backup for Laptops and Desktops r11.0
CA Desktop Management Suite 11.2 English
CA Desktop Management Suite 11.2 localized
CA Desktop Management Suite 11.1

Affected Platforms:
Windows

Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.2 SP2:  QO95512
CA ARCserve Backup for Laptops and Desktops 11.5:  QO95513
CA Desktop Management Suite 11.2 English:  QO95513
CA Desktop Management Suite 11.2 localized:  QO95513
CA Desktop Management Suite 11.1:  Upgrade to 11.1 C1.
CA ARCserve Backup for Laptops and Desktops 11.0:  Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 and apply the latest patches.  QI85497

How to determine if you are affected:

For Windows:
1. Using Windows Explorer, locate the file"rxRPC.dll". The file can be found in the following default locations:
Product:  CA ARCserve Backup for Laptops and Desktops 11.5
Directory Path:  C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Explorer
Product:  CA ARCserve Backup for Laptops and Desktops 11.1   
Directory Path:  C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server
Product:  CA Desktop Management Suite 11.2 English
Directory Path:  C:\Program Files\CA\DSM\BABLD\MGUI
Product:  CA Desktop Management Suite 11.2 localized
Directory Path:  C:\Program Files\CA\DSM\BABLD\MGUI
2. Right click on the files and select Properties.
3. Select the General tab.
4. If the file date is earlier than indicated in the below table, the installation is vulnerable.

Product	File Name	File Date / Size
CA ARCserve Backup for Laptops and Desktops 11.5	rxRPC.dll	February 18 2008 / 126976
CA ARCserve Backup for Laptops and Desktops 11.1	rxRPC.dll	February 18 2008 / 114688
CA Desktop Management Suite 11.2 English	rxRPC.dll	February 18 2008 / 126976
CA Desktop Management Suite 11.2 localized	rxRPC.dll	February 18 2008 / 126976

Workaround: None

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105
Solution Document Reference APARs:
QO95512, QO95513, QI85497
CA Security Response Blog posting:
CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities
http://community.ca.com/blogs/[...]-vulnerabilities.aspx
Reported By:
Dyon Balding of Secunia Research
CVE References:
CVE-2008-1328 and CVE-2008-1329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1329
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Published: April 04 2008, 07:55 AM | no comments
by Ken Williams

On April 3rd, 2008 CA published a security notice to address a vulnerability in CA Alert Notification Server.

 

Title: CA Alert Notification Server Multiple Vulnerabilities

CA Advisory Date: 2008-04-03

Reported By: An anonymous researcher working with the iDefense VCP

Impact: A remote authenticated attacker can execute arbitrary code or cause a denial of service condition.

Summary: CA Alert Notification Server service contains multiple vulnerabilities that can allow a remote authenticated attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities. The vulnerabilities, CVE-2007-4620, are due to insufficient bounds checking in multiple procedures. A remote authenticated attacker or local user can exploit a buffer overflow to execute arbitrary code or cause a denial of service.

Mitigating Factors: Remote attacker must have legitimate authentication credentials.

Severity: CA has given these vulnerabilities a maximum risk rating of High.

Affected Products:
CA Anti-Virus for the Enterprise 7.1
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8.1
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows

Affected Platforms:
Windows

Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA Anti-Virus for the Enterprise 7.1, CA Anti-Virus for the Enterprise r8:  QO96079
CA Threat Manager for the Enterprise r8:  QO96387
CA Anti-Virus for the Enterprise r8.1, CA Threat Manager for the Enterprise r8.1:  QO96080
BrightStor ARCserve Backup r11.5, BrightStor ARCserve Backup r11.1:  QO96079
BrightStor ARCserve Backup r11.0:  Upgrade to 11.1 and apply the latest patches.

How to determine if you are affected:

For products on Windows:
   1. Using Windows Explorer, locate the file "alert.exe". By default, the file is located in the "C:\Program Files\CA\SharedComponents\Alert" directory.
   2. Right click on the file and select Properties.
   3. Select the Version tab.
   4. If the file version is earlier than indicated in the below table, the installation is vulnerable.

Product	File	Version
CA Anti-Virus for the Enterprise r8.1	Alert.exe	8.1.586.0
CA Threat Manager for the Enterprise 8.1	Alert.exe	8.1.586.0
CA Threat Manager for the Enterprise r8	Alert.exe	8.0.450.0
CA Anti-Virus for the Enterprise 7.1	Alert.exe	7.1.758.0
CA Anti-Virus for the Enterprise r8	Alert.exe	7.1.758.0
BrightStor ARCserve Backup r11.5	Alert.exe	7.1.758.0
BrightStor ARCserve Backup r11.1	Alert.exe	7.1.758.0

Workaround: None

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for Alert Notification Server
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
Solution Document Reference APARs:
QO96079, QO96387, QO96080, QO96079
CA Security Response Blog posting:
CA Alert Notification Server Multiple Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/ca-alert-notification-server-multiple-vulnerabilities.aspx
Reported By:
An anonymous researcher working with the iDefense VCP
CVE References:
CVE-2007-4620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4620
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx