This Blog
Syndication
Recent Posts
Tags
Calendar
Archives
CA Security Response Blog
-
CA ARCserve Backup Discovery Service Denial of Service Vulnerability
On June 17th, 2008, CA published a security notice to address a vulnerability in CA ARCserve Backup.
Title: CA ARCserve Backup Discovery Service Denial of Service Vulnerability
CA Advisory Date: 2008-06-17
Reported By: Luigi Auriemma
Impact: A remote attacker can cause a denial of service.
Summary: CA ARCserve Backup contains a vulnerability in the Discovery service (casdscsvc) that can allow a remote attacker to cause a denial of service condition. CA has issued patches to address the vulnerability. The vulnerability, CVE-2008-1979, occurs due to insufficient verification of client data. An attacker can make a request that can crash the service.
Mitigating Factors: None
Severity: CA has given this vulnerability a Medium risk rating.
Affected Products:
CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r11.5 Windows SP3 and prior*
CA ARCserve Backup r11.1 Windows*
CA ARCserve Backup r11.1 Netware*
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2
*Formerly known as BrightStor ARCserve Backup
Non-affected Products:
CA ARCserve Backup r11.5 Windows SP4
Affected Platforms:
Windows and Netware
Status and Recommendation:
CA has issued the following patches to address the vulnerabilities.
CA ARCserve Backup r12.0 Windows: QO99574
CA ARCserve Backup r11.5 Windows: QO99575
For CA ARCserve Backup r11.5 Windows, the issue can also be addressed by applying 11.5 SP4: QO99129
CA ARCserve Backup r11.1 Windows: QO99576
CA ARCserve Backup r11.1 Netware: QO99579
CA Protection Suites r2: QO99575
How to determine if you are affected:
CA ARCserve Backup r12.0 Windows:
1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under Programs->CA->ARCserve Patch Management->Patch Status.
2. The main patch status screen will indicate if patch “QO99574” is currently applied. If the patch is not applied, the installation is vulnerable.
For more information on the ARCserve Patch Management utility, read document TEC446265.
Alternatively, use the file information below to determine if the product installation is vulnerable.
CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows,
CA ARCserve Backup r11.1 Windows,
CA ARCserve Backup r11.1 Netware,
CA Protection Suites r2*:
1. Using Windows Explorer, locate the file “asbrdcst.dll”. By default, the file is located in the “C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS” directory on 32 bit systems and “C:\Program Files (x86)\CA\SharedComponents\ARCserve Backup\CADS” on 64 bit systems.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable.
* For Protection Suites r2, use the file timestamp for CA ARCserve Backup r11.5 English
Product Version Product Language File Name File Size (bytes) Timestamp 12.0 Windows English asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Spanish asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Portuguese-Brazilian asbrdcst.dll 320776 05/01/2008 12:11 12.0 Windows Japanese asbrdcst.dll 320776 05/01/2008 12:11 12.0 Windows Italian asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows German asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows French asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Traditional Chinese asbrdcst.dll 316680 05/01/2008 12:11 12.0 Windows Simplified Chinese asbrdcst.dll 316680 05/01/2008 12:11 11.5 Windows English asbrdcst.dll 212992 04/22/2008 10:15:02 11.5 Windows Japanese asbrdcst.dll 208896 04/22/2008 14:28:52 11.5 Windows Simplified Chinese asbrdcst.dll 204800 04/22/2008 14:30:54 11.5 Windows Traditional Chinese asbrdcst.dll 204800 04/22/2008 14:33:28 11.5 Windows Italian asbrdcst.dll 212992 04/22/2008 14:31:46 11.5 Windows Portuguese-Brazilian asbrdcst.dll 212992 04/22/2008 14:53:54 11.5 Windows German asbrdcst.dll 212992 04/22/2008 14:27:48 11.5 Windows French asbrdcst.dll 212992 04/22/2008 14:26:54 11.5 Windows Spanish asbrdcst.dll 212992 04/22/2008 14:32:38 11.1 Windows English asbrdcst.dll 204800 04/24/2008 11:21:26 11.1 Windows Japanese asbrdcst.dll 200704 04/24/2008 11:25:48 11.1 Windows Simplified Chinese asbrdcst.dll 196608 04/24/2008 11:27:44 11.1 Windows Traditional Chinese asbrdcst.dll 196608 04/24/2008 11:30:32 11.1 Windows Italian asbrdcst.dll 204800 04/24/2008 11:28:38 11.1 Windows Portuguese-Brazilian asbrdcst.dll 204800 04/24/2008 11:38:52 11.1 Windows German asbrdcst.dll 204800 04/24/2008 11:24:38 11.1 Windows French asbrdcst.dll 204800 04/24/2008 11:23:38 11.1 Windows Spanish asbrdcst.dll 204800 04/24/2008 11:29:34 11.1 Windows Dutch asbrdcst.dll 204800 04/24/2008 11:33:24 11.1 Windows Polish asbrdcst.dll 204800 04/24/2008 11:38:02 11.1 Windows Russian asbrdcst.dll 204800 04/24/2008 11:39:44 11.1 Windows Turkish asbrdcst.dll 204800 04/24/2008 11:41:28 11.1 Windows Norwegian asbrdcst.dll 204800 04/24/2008 11:37:12 11.1 Windows Danish asbrdcst.dll 204800 04/24/2008 11:32:28 11.1 Windows Czech asbrdcst.dll 204800 04/24/2008 11:31:28 11.1 Windows Hungarian asbrdcst.dll 204800 04/24/2008 11:36:22 11.1 Windows Swedish asbrdcst.dll 204800 04/24/2008 11:40:38 11.1 Windows Finnish asbrdcst.dll 204800 04/24/2008 11:34:40 11.1 Windows Greek asbrdcst.dll 204800 04/24/2008 11:35:32 11.1 Netware English asbrdcst.dll 204800 04/24/2008 11:21:26
Workaround: As a temporary workaround, stop and disable the CA ARCserve Discovery service. With the service disabled, deploying agents using Auto-discovery will not work.
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Discovery Service
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=178937
Solution Document Reference APARs:
QO99574, QO99575, QO99129, QO99576, QO99579
CA Security Response Blog posting:
CA ARCserve Backup Discovery Service Denial of Service Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/06/18.aspx
Reported By:
Luigi Auriemma
http://aluigi.altervista.org/adv/carcbackazz-adv.txt
CVE References:
CVE-2008-1979 - casdscsvc denial of service
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1979
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to our product security response team.
URL: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
-
CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities
On June 3rd, 2008, CA published a security notice to address multiple vulnerabilities in CA Secure Content Manager.
Title: CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities
CA Advisory Date: 2008-06-03
Reported By: Sebastian Apelt working with ZDI/TippingPoint; Cody Pierce, TippingPoint DVLabs
Impact: A remote attacker can cause a denial of service or execute arbitrary code.
Summary: CA Secure Content Manager contains multiple vulnerabilities in the HTTP Gateway service that can allow a remote attacker to cause a denial of service condition or execute arbitrary code. CA has issued a patch to address the vulnerabilities. The vulnerabilities, CVE-2008-2541, occur due to insufficient bounds checking on certain FTP requests. An attacker can make a request that will cause the service to fail or allow the attacker to take privileged action on the system.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a maximum risk rating of High.
Affected Products:
CA Secure Content Manager r8
Affected Platforms:
Windows
Status and Recommendation:
CA has issued the following patch to address the vulnerabilities.
CA Secure Content Manager r8: QO99987
How to determine if you are affected:
Windows:
1. Using a registry editor, determine if the following key exists:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\Hidden\PatchID\80VULNHOTFIX
2. If the key does not exist, the installation is vulnerable
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA Secure Content Manager HTTP Gateway Service
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784
Solution Document Reference APARs:
QO99987
CA Security Response Blog posting:
CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/06/04.aspx
Reported By:
Sebastian Apelt working with ZDI/TippingPoint
Cody Pierce, TippingPoint DVLabs
CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-036/
CA ETrust Secure Content Manager Gateway FTP PASV Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-035/
CVE References:
CVE-2008-2541 - CA Secure Content Manager multiple FTP buffer overflows
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2541
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx -
CA ARCserve Backup caloggerd and xdr Functions Vulnerabilities
On May 19th, 2008 CA published a security notice to address multiple vulnerabilities in CA ARCserve Backup.
Title: CA ARCserve Backup caloggerd and xdr Functions Vulnerabilities
CA Advisory Date: 2008-05-19
Reported By:An anonymous researcher working with the iDefense VCP
Damian Put working with ZDI/TippingPoint
Impact: A remote attacker can cause a denial of service or execute arbitrary code.
Summary: CA ARCserve Backup contains multiple vulnerabilities that can allow a remote attacker to cause a denial of service or execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2008-2241, is due to insufficient path verification by the logging service, caloggerd. An attacker can append data to arbitrary files, which can lead to system compromise. The second vulnerability, CVE-2008-2242, is due to insufficient bounds checking by multiple xdr functions. An attacker can cause an overflow and execute arbitrary code.
Mitigating Factors: These issues affect only the server installation.
Severity: CA has given these vulnerabilities a maximum risk rating of High.
Affected Products:
CA ARCserve Backup r11.5 (formerly BrightStor ARCserve Backup r11.5)
CA ARCserve Backup r11.1 (formerly BrightStor ARCserve Backup r11.1)
CA ARCserve Backup r11.0 (formerly BrightStor ARCserve Backup r11.0)
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2
Not Vulnerable:
CA ARCserve Backup r12
CA ARCserve Backup r11.5 SP4
Affected Platforms:
Windows
Linux x86
Linux IA-64
Linux x86_64
Tru64
HP-UX
Solaris
Linux/s390
Status and Recommendation:
CA has issued the following patches and upgrades to address the vulnerabilities.
CA ARCserve Backup r11.5 Windows:
QO92996
CA ARCserve Backup r11.1 Windows:
QO92849
CA ARCserve Backup r11.0 Windows:
Upgrade to 11.1 and apply the latest patches.
CA Protection Suites r2:
QO92996
The issues can also be addressed by applying CA ARCserve Backup 11.5 SP4 for Windows:
QO99129
For CA ARCserve Backup r11.5 and r11.1 on UNIX and Linux based platforms, upgrade to 11.5 SP3.
Note: The upgrade for 11.1 requires new license keys, which are available for free until December 31, 2008. Visit the following link for more information.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=172649
CA ARCserve Backup r11.5 Linux/x86/IA-64/x86_64:
QO89980
CA ARCserve Backup r11.5 Tru64:
QO89985
CA ARCserve Backup r11.5 HP-UX:
QO89984
CA ARCserve Backup r11.5 Solaris:
QO89982
CA ARCserve Backup r11.5 AIX:
QO89981
CA ARCserve Backup r11.5 Linux/s390:
QO89983
CA ARCserve Backup r11.1 Linux/x86/IA-64/x86_64:
QO89980
CA ARCserve Backup r11.1 Tru64:
QO89985
CA ARCserve Backup r11.1 HP-UX:
QO89984
CA ARCserve Backup r11.1 Solaris:
QO89982
CA ARCserve Backup r11.1 AIX:
QO89981
CA ARCserve Backup r11.1 Linux/s390:
QO89983
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file "caloggerd.exe". By default, the file is located in the "C:\Program Files\CA\BrightStor ARCserve Backup" directory.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable.Product Version File Name Timestamp File Size 11.5 caloggerd.exe 05/18/2007 10:55:48 299008 bytes 11.1 caloggerd.exe 05/18/2007 11:30:52 286720 bytes * For Protection Suites r2 , use the file timestamp for CA ARCserve Backup r11.5.
For Linux/x86/IA-64/x86_64, Tru64, HP-UX, Solaris, Linux/s390:
Examine the file RELVERSION to determine the version. This can be done with the following command from a shell:
cat $BAB_HOME/data/RELVERSION
If the build number is below 2427, the installation is vulnerable.
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Backup caloggerd and xdr functions
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798
Solution Document Reference APARs:
QO92996, QO92849, QO99129, QO89980, QO89985, QO89984, QO89982, QO89981, QO89983
CA Security Response Blog posting:
CA ARCserve Backup caloggerd and xdr Functions Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/05/19.aspx
Reported By:
An anonymous researcher working with the iDefense VCP
Damian Put working with ZDI/TippingPoint
CVE References:
CVE-2008-2241 - caloggerd file appending
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2241
CVE-2008-2242 - xdr function buffer overflow vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2242
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx -
Automatic Patch-Based Exploit Generation
The Full-Disclosure mailing list is good for interesting, and often humorous, content on a daily basis. The highlight of the week last week was a link to a paper entitled "Automatic Patch-Based Exploit Generation", by David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. From the abstract ... "In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update. [...] Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds. Coupled with a worm, all vulnerable hosts could be compromised before most are even aware a patch is available, let alone download it." 2008 is going to be an interesting year for security enthusiasts.
Edited to add: Halvar.Flake has a blog post with very insightful commentary on the paper.
-
CA ARCserve Backup r12 and CA Secure Content Manager r8 vulnerabilities
CA is currently investigating vulnerability reports concerning CA ARCserve Backup r12 and CA Secure Content Manager r8 that were published publicly on 4/17/08 and 4/18/08 respectively. CA will issue an advisory if and when the reports have been verified.
-
CA DSM gui_cm_ctrls ActiveX Control Vulnerability
On April 15th, 2008 CA published a security notice to address a vulnerability in CA products that implement the DSM gui_cm_ctrls ActiveX control.
Title: CA DSM gui_cm_ctrls ActiveX Control Vulnerability
CA Advisory Date: 2008-04-15
Reported By: Greg Linares of eEye Digital Security
Impact: A remote attacker can execute arbitrary code or cause a denial of service condition.
Summary: CA products that implement the DSM gui_cm_ctrls ActiveX control contain a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. The vulnerability, CVE-2008-1786, is due to insufficient verification of function arguments by the gui_cm_ctrls control. An attacker can execute arbitrary code under the context of the user running the web browser.
Mitigating Factors: For BrightStor ARCserve Backup for Laptops & Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and Agents are not affected.
Severity: CA has given these vulnerabilities a maximum risk rating of High.
Affected Products:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C2
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C2
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C2
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C2
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C2
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
CA Desktop and Server Management r11.2 C2
CA Desktop and Server Management r11.2 C1
CA Desktop and Server Management r11.2a
CA Desktop and Server Management r11.2
CA Desktop and Server Management r11.1 (GA, a, C1)Affected Platforms:
WindowsStatus and Recommendation:
CA has provided the following updates to address the vulnerabilities.
BrightStor ARCserve Backup for Laptops and Desktops r11.5:
QI96333
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1):
QO96283
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a:
QO96286
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2:
QO96285
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1:
QO96284
CA Desktop Management Suite for Windows r11.2 C2,
Unicenter Desktop Management Bundle r11.2 C2,
Unicenter Asset Management r11.2 C2,
Unicenter Software Delivery r11.2 C2,
Unicenter Remote Control r11.2 C2:
QO99084
CA Desktop and Server Management r11.2 C2:
QO99080
CA Desktop and Server Management r11.2 C1:
QO96288
CA Desktop and Server Management r11.2a:
QO96290
CA Desktop and Server Management r11.2:
QO96289
CA Desktop and Server Management r11.1 (GA, a, C1):
QO96287How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file “gui_cm_ctrls.ocx”. By default, the file is in the “C:\Program Files\CA\DSM\bin\” directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the list below, the installation is vulnerable.
Product File Name File Version CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1),
CA Desktop and Server Management r11.1 (GA, a, C1)gui_cm_ctrls.ocx 11.1.8124.2517 CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2,
CA Desktop and Server Management r11.2gui_cm_ctrls.ocx 11.2.2.4332 CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a,
CA Desktop and Server Management r11.2agui_cm_ctrls.ocx 11.2.3.1896 CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1,
BrightStor ARCserve Backup for Laptops and Desktops r11.5,
CA Desktop and Server Management r11.2 C1gui_cm_ctrls.ocx 11.2.1000.17 CA Desktop Management Suite for Windows r11.2 C2,
Unicenter Desktop Management Bundle r11.2 C2,
Unicenter Asset Management r11.2 C2,
Unicenter Software Delivery r11.2 C2,
Unicenter Remote Control r11.2 C2,
CA Desktop and Server Management r11.2 C2gui_cm_ctrls.ocx 11.2.2000.4 Workaround: As a temporary workaround solution, disable the gui_cm_ctrls ActiveX control in the registry by setting the kill bit on CLSID {E6239EB3-E0B0-46DA-A215-CFA9B3B740C5}. Disabling the control may prevent the GUI from functioning correctly. Refer to Microsoft KB article 240797 for information on how to disable an ActiveX control.
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA products using the DSM gui_cm_ctrls ActiveX control
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=174256
Solution Document Reference APARs:
QI96333, QO96283, QO96286, QO96285, QO96284, QO99084, QO99080, QO96288, QO96290, QO96289, QO96287
CA Security Response Blog posting:
CA DSM gui_cm_ctrls ActiveX Control Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/16/[...]vulnerability.aspx
Reported By:
Greg Linares of eEye Digital Security
CVE Reference:
CVE-2008-1786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1786
OSVDB References: Pending
http://osvdb.org/Changelog for this advisory:
v1.0 - Initial ReleaseCustomers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
-
CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities
On April 3rd, 2008, CA published a security notice to address multiple vulnerabilities in CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite.
Title: CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities
CA Advisory Date: 2008-04-03
Reported By: Dyon Balding of Secunia Research
Impact: A remote attacker can execute arbitrary code or cause a denial of service condition.
Summary: CA ARCserve Backup for Laptops and Desktops Server contains multiple vulnerabilities that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities. The first issue, CVE-2008-1328, occurs due to insufficient bounds checking on command arguments by the LGServer service. The second issue, CVE-2008-1329, occurs due to insufficient verification of file uploads by rxRPC.dll. In most cases, an attacker can potentially gain complete control of an affected installation. Additionally, only a server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected.
Note: the previously published patches for CVE-2007-3216 and CVE-2007-5005 did not fully address some issues.
Mitigating Factors: Client installations are not affected.
Severity: CA has given these vulnerabilities a maximum risk rating of High.
Affected Products:
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1
CA ARCserve Backup for Laptops and Desktops r11.1
CA ARCserve Backup for Laptops and Desktops r11.0
CA Desktop Management Suite 11.2 English
CA Desktop Management Suite 11.2 localized
CA Desktop Management Suite 11.1
Affected Platforms:
Windows
Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.2 SP2: QO95512
CA ARCserve Backup for Laptops and Desktops 11.5: QO95513
CA Desktop Management Suite 11.2 English: QO95513
CA Desktop Management Suite 11.2 localized: QO95513
CA Desktop Management Suite 11.1: Upgrade to 11.1 C1.
CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 and apply the latest patches. QI85497
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file"rxRPC.dll". The file can be found in the following default locations:
Product: CA ARCserve Backup for Laptops and Desktops 11.5
Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Explorer
Product: CA ARCserve Backup for Laptops and Desktops 11.1
Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server
Product: CA Desktop Management Suite 11.2 English
Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI
Product: CA Desktop Management Suite 11.2 localized
Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI
2. Right click on the files and select Properties.
3. Select the General tab.
4. If the file date is earlier than indicated in the below table, the installation is vulnerable.
Product File Name File Date / Size CA ARCserve Backup for Laptops and Desktops 11.5 rxRPC.dll February 18 2008 / 126976 CA ARCserve Backup for Laptops and Desktops 11.1 rxRPC.dll February 18 2008 / 114688 CA Desktop Management Suite 11.2 English rxRPC.dll February 18 2008 / 126976 CA Desktop Management Suite 11.2 localized rxRPC.dll February 18 2008 / 126976
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105
Solution Document Reference APARs:
QO95512, QO95513, QI85497
CA Security Response Blog posting:
CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities
http://community.ca.com/blogs/[...]-vulnerabilities.aspx
Reported By:
Dyon Balding of Secunia Research
CVE References:
CVE-2008-1328 and CVE-2008-1329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1329
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
-
CA Alert Notification Server Multiple Vulnerabilities
On April 3rd, 2008 CA published a security notice to address a vulnerability in CA Alert Notification Server.
Title: CA Alert Notification Server Multiple Vulnerabilities
CA Advisory Date: 2008-04-03
Reported By: An anonymous researcher working with the iDefense VCP
Impact: A remote authenticated attacker can execute arbitrary code or cause a denial of service condition.
Summary: CA Alert Notification Server service contains multiple vulnerabilities that can allow a remote authenticated attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities. The vulnerabilities, CVE-2007-4620, are due to insufficient bounds checking in multiple procedures. A remote authenticated attacker or local user can exploit a buffer overflow to execute arbitrary code or cause a denial of service.
Mitigating Factors: Remote attacker must have legitimate authentication credentials.
Severity: CA has given these vulnerabilities a maximum risk rating of High.
Affected Products:
CA Anti-Virus for the Enterprise 7.1
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8.1
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows
Affected Platforms:
Windows
Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA Anti-Virus for the Enterprise 7.1, CA Anti-Virus for the Enterprise r8: QO96079
CA Threat Manager for the Enterprise r8: QO96387
CA Anti-Virus for the Enterprise r8.1, CA Threat Manager for the Enterprise r8.1: QO96080
BrightStor ARCserve Backup r11.5, BrightStor ARCserve Backup r11.1: QO96079
BrightStor ARCserve Backup r11.0: Upgrade to 11.1 and apply the latest patches.
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "alert.exe". By default, the file is located in the "C:\Program Files\CA\SharedComponents\Alert" directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the below table, the installation is vulnerable.
Product File Version CA Anti-Virus for the Enterprise r8.1 Alert.exe 8.1.586.0 CA Threat Manager for the Enterprise 8.1 Alert.exe 8.1.586.0 CA Threat Manager for the Enterprise r8 Alert.exe 8.0.450.0 CA Anti-Virus for the Enterprise 7.1 Alert.exe 7.1.758.0 CA Anti-Virus for the Enterprise r8 Alert.exe 7.1.758.0 BrightStor ARCserve Backup r11.5 Alert.exe 7.1.758.0 BrightStor ARCserve Backup r11.1 Alert.exe 7.1.758.0
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for Alert Notification Server
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
Solution Document Reference APARs:
QO96079, QO96387, QO96080, QO96079
CA Security Response Blog posting:
CA Alert Notification Server Multiple Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/ca-alert-notification-server-multiple-vulnerabilities.aspx
Reported By:
An anonymous researcher working with the iDefense VCP
CVE References:
CVE-2007-4620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4620
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
-
CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability
On March 28th, 2008 CA published a security notice to address a vulnerability in CA products that implement the DSM ListCtrl ActiveX control.
Title: CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability
CVE: CVE-2008-1472
CA Advisory Date: 2008-03-28
Reported By: Exploit code posted at milw0rm.com
Impact: A remote attacker can cause a denial of service or execute arbitrary code.
Summary: CA products that implement the DSM ListCtrl ActiveX control are vulnerable to a buffer overflow condition that can allow a remote attacker to cause a denial of service or execute arbitrary code with the privileges of the user running the web browser. The vulnerability, CVE-2008-1472, is due to insufficient bounds checking on the ListCtrl AddColumn function.
Mitigating Factors: For BrightStor ARCserve Backup for Laptops & Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and agents are not affected.
Severity: CA has given this vulnerability a maximum risk rating of High.
Affected Products:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
Affected Platforms:
Windows
Status and Recommendation:
CA has provided the following updates to address the vulnerabilities.
BrightStor ARCserve Backup for Laptops and Desktops r11.5:
QO96102
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1):
QO96088
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a:
QO96092
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2:
QO96091
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1:
QO96090
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "ListCtrl.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the below table, the installation is vulnerable.
Product:
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1)
File Name: ListCtrl.ocx
File Version: 11.1.8124.0
Product:
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2
File Name: ListCtrl.ocx
File Version: 11.2.1000.16
Product:
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a
File Name: ListCtrl.ocx
File Version: 11.2.1000.16
Product:
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1,
BrightStor ARCserve Backup for Laptops and Desktops r11.5
File Name: ListCtrl.ocx
File Version: 11.2.1000.16
Workaround:
As a temporary workaround solution, disable the ListCtrl ActiveX control in the registry by setting the kill bit on CLSID {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}. Disabling the control may prevent the GUI from functioning correctly. Refer to Microsoft KB article 240797 <http://support.microsoft.com/kb/240797> for information on how to disable an ActiveX control.
References (URLs may wrap):
CA SupportConnect:
http://support.ca.com/
CA products using the DSM ListCtrl ActiveX Control Security Notice
https://support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/common/DSM_ListCtr_secnot.html
Solution Document Reference APARs:
QO96102, QO96088, QO96092, QO96091, QO96090
CA Security Response Blog posting:
CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/3/28.aspx
Reported By:
Exploit code posted at milw0rm.com
CVE References:
CVE-2008-1472 - DSM ListCtrl ActiveX control AddColumn buffer overflow
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1472
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please email your findings to vuln AT ca DOT com. -
Note about recently publicized CA BrightStor ActiveX exploit code
CA is reviewing exploit code that was posted on 2008-03-16 to the Milw0rm exploit archive web site. This exploit code is potentially associated with vulnerabilities that may exist in CA BrightStor ARCserve Backup for Laptops and Desktops and/or related products. CA will issue an advisory after we have completed our initial investigation.
-
Russian Business Network (RBN) - an example of modern cybercrime
When warning customers, friends, and family about the dangers cybercrime, they usually accuse me of exaggerating the severity of internet related criminal activity. They think I'm sensationalizing an "epidemic" that, in reality, isn't very organized or pervasive. The truth though is that cybercrime is very mature, very businesslike, and more of a threat than ever before. A perfect example of the maturity of internet crime is the Russian Business Network (RBN). The RBN is a subject that is still more or less well known only to security industry practitioners. The Shadowserver Foundation, an internet security watchdog group, published a whitepaper last week entitled "RBN 'Rizing' - Abdallah Internet Hizmetleri". This whitepaper is a follow-up to their first paper on the RBN: "RBN As a Business Network - Clarifying the guesswork of Criminal Activity".
In addition to the great research published by Shadowserver, I also recommend this blog about the RBN and of course the Wikipedia page for the Russian Business Network.