-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title: CA ARCserve Backup Discovery Service Denial of Service 
Vulnerability


CA Advisory Date: 2008-06-17


Reported By: Luigi Auriemma


Impact: A remote attacker can cause a denial of service.


Summary: CA ARCserve Backup contains a vulnerability in the 
Discovery service (casdscsvc) that can allow a remote attacker to 
cause a denial of service condition. CA has issued patches to 
address the vulnerability. The vulnerability, CVE-2008-1979, 
occurs due to insufficient verification of client data. An 
attacker can make a request that can crash the service.


Mitigating Factors: None


Severity: CA has given this vulnerability a Medium risk rating.


Affected Products:
CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r11.5 Windows SP3 and prior*
CA ARCserve Backup r11.1 Windows*
CA ARCserve Backup r11.1 Netware*
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server 
   Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server 
   Premium Edition r2

*Formerly known as BrightStor ARCserve Backup


Non-affected Products:
CA ARCserve Backup r11.5 Windows SP4


Affected Platforms:
Windows and Netware


Status and Recommendation:
CA has issued the following patches to address the 
vulnerabilities. 
CA ARCserve Backup r12.0 Windows: QO99574
CA ARCserve Backup r11.5 Windows: QO99575
For CA ARCserve Backup r11.5 Windows, the issue can also be 
addressed by applying 11.5 SP4: QO99129
CA ARCserve Backup r11.1 Windows: QO99576
CA ARCserve Backup r11.1 Netware: QO99579
CA Protection Suites r2: QO99575


How to determine if you are affected:

CA ARCserve Backup r12.0 Windows:

1. Run the ARCserve Patch Management utility. From the Windows 
   Start menu, it can be found under Programs->CA->ARCserve Patch 
   Management->Patch Status.
2. The main patch status screen will indicate if patch “QO99574” 
   is currently applied. If the patch is not applied, the 
   installation is vulnerable.

For more information on the ARCserve Patch Management utility, 
read document TEC446265.

Alternatively, use the file information below to determine if the 
product installation is vulnerable.

CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows,
CA ARCserve Backup r11.1 Windows,
CA ARCserve Backup r11.1 Netware,
CA Protection Suites r2*:

1. Using Windows Explorer, locate the file “asbrdcst.dll”. By 
   default, the file is located in the 
   “C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS” 
   directory on 32 bit systems and “C:\Program Files (x86)\CA\
   SharedComponents\ARCserve Backup\CADS” on 64 bit systems.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the below 
   table, the installation is vulnerable.

* For Protection Suites r2, use the file timestamp for CA ARCserve 
  Backup r11.5 English

Product Ver   Product Lang  File Name     File Sz Timestamp
                                          (bytes)
12.0 Windows  English       asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Spanish       asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Port-Braz     asbrdcst.dll  320776  05/01/2008 12:11
12.0 Windows  Japanese      asbrdcst.dll  320776  05/01/2008 12:11
12.0 Windows  Italian       asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  German        asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  French        asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Trad Chinese  asbrdcst.dll  316680  05/01/2008 12:11
12.0 Windows  Simp Chinese  asbrdcst.dll  316680  05/01/2008 12:11
11.5 Windows  English       asbrdcst.dll  212992  04/22/2008 10:15:02
11.5 Windows  Japanese      asbrdcst.dll  208896  04/22/2008 14:28:52
11.5 Windows  Simp Chinese  asbrdcst.dll  204800  04/22/2008 14:30:54
11.5 Windows  Trad Chinese  asbrdcst.dll  204800  04/22/2008 14:33:28
11.5 Windows  Italian       asbrdcst.dll  212992  04/22/2008 14:31:46
11.5 Windows  Port-Braz     asbrdcst.dll  212992  04/22/2008 14:53:54
11.5 Windows  German        asbrdcst.dll  212992  04/22/2008 14:27:48
11.5 Windows  French        asbrdcst.dll  212992  04/22/2008 14:26:54
11.5 Windows  Spanish       asbrdcst.dll  212992  04/22/2008 14:32:38
11.1 Windows  English       asbrdcst.dll  204800  04/24/2008 11:21:26
11.1 Windows  Japanese      asbrdcst.dll  200704  04/24/2008 11:25:48
11.1 Windows  Simp Chinese  asbrdcst.dll  196608  04/24/2008 11:27:44
11.1 Windows  Trad Chinese  asbrdcst.dll  196608  04/24/2008 11:30:32
11.1 Windows  Italian       asbrdcst.dll  204800  04/24/2008 11:28:38
11.1 Windows  Port-Braz     asbrdcst.dll  204800  04/24/2008 11:38:52
11.1 Windows  German        asbrdcst.dll  204800  04/24/2008 11:24:38
11.1 Windows  French        asbrdcst.dll  204800  04/24/2008 11:23:38
11.1 Windows  Spanish       asbrdcst.dll  204800  04/24/2008 11:29:34
11.1 Windows  Dutch         asbrdcst.dll  204800  04/24/2008 11:33:24
11.1 Windows  Polish        asbrdcst.dll  204800  04/24/2008 11:38:02
11.1 Windows  Russian       asbrdcst.dll  204800  04/24/2008 11:39:44
11.1 Windows  Turkish       asbrdcst.dll  204800  04/24/2008 11:41:28
11.1 Windows  Norwegian     asbrdcst.dll  204800  04/24/2008 11:37:12
11.1 Windows  Danish        asbrdcst.dll  204800  04/24/2008 11:32:28
11.1 Windows  Czech         asbrdcst.dll  204800  04/24/2008 11:31:28
11.1 Windows  Hungarian     asbrdcst.dll  204800  04/24/2008 11:36:22
11.1 Windows  Swedish       asbrdcst.dll  204800  04/24/2008 11:40:38
11.1 Windows  Finnish       asbrdcst.dll  204800  04/24/2008 11:34:40
11.1 Windows  Greek         asbrdcst.dll  204800  04/24/2008 11:35:32
11.1 Netware  English       asbrdcst.dll  204800  04/24/2008 11:21:26


Workaround: As a temporary workaround, stop and disable the CA 
ARCserve Discovery service. With the service disabled, deploying 
agents using Auto-discovery will not work.


References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Discovery Service
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=178937
Solution Document Reference APARs:
QO99574, QO99575, QO99129, QO99576, QO99579
CA Security Response Blog posting:
CA ARCserve Backup Discovery Service Denial of Service Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/06/18.asp
x
Reported By: 
Luigi Auriemma
http://aluigi.altervista.org/adv/carcbackazz-adv.txt
CVE References:
CVE-2008-1979 - casdscsvc denial of service
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1979
OSVDB References: Pending
http://osvdb.org/


Changelog for this advisory:
v1.0 - Initial Release


Customers who require additional information should contact CA
Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your 
findings to our product security response team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research


CA, 1 CA Plaza, Islandia, NY 11749
	
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFIWR6beSWR3+KUGYURAieJAJ9a+VTiwKJ78Y80eD86o8AeTm/d4ACeL2+W
hl/jlkzEtAHwCF9eUt1TjMo=
=RXzI
-----END PGP SIGNATURE-----