-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                      ESB-2008.0632 -- [Win][Netware]
      CA ARCserve Discovery Service - Denial of Service Vulnerability
                               19 June 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              CA ARCserve Backup r12.0 Windows
                      CA ARCserve Backup r11.5 Windows SP3 and prior
                      CA ARCserve Backup r11.1 Windows
                      CA ARCserve Backup r11.1 Netware
                      CA Server Protection Suite r2
                      CA Business Protection Suite r2
                      CA Business Protection Suite for Microsoft Small 
                          Business Server Standard Edition r2
                      CA Business Protection Suite for Microsoft Small 
                          Business Server Premium Edition r2
Publisher:            CA
Operating System:     Windows
                      Netware
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1979

Original Bulletin:  
  https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=178937

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Notice for CA ARCserve Discovery Service

Issued: June 17, 2008

CA's technical support is alerting customers to security risks associated with 
CA ARCserve Backup. A vulnerability exists in the CA ARCserve Discovery 
Service, casdscsvc, that can allow a remote attacker to cause a denial of 
service condition. CA has issued patches to address the vulnerability.

The vulnerability, CVE-2008-1979, occurs due to insufficient verification of 
client data. An attacker can make a request that can crash the service.

Risk Rating

Medium

Platforms

Windows and Netware

Affected Products

CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r11.5 Windows SP3 and prior*
CA ARCserve Backup r11.1 Windows*
CA ARCserve Backup r11.1 Netware*
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server 
  Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server 
  Premium Edition r2

*Formerly known as BrightStor ARCserve Backup.

Non-affected Products

CA ARCserve Backup r11.5 Windows SP4.

How to determine if the installation is affected

CA ARCserve Backup r12.0 Windows:

   1. Run the ARCserve Patch Management utility. From the Windows Start menu, 
      it can be found under 
      Programs->CA-> ARCserve Patch Management->Patch Status.

   2. The main patch status screen will indicate if patch "QO99574" is 
      currently applied. If the patch is not applied, the installation is 
      vulnerable.

For more information on the ARCserve Patch Management utility, read document 
TEC446265.

Alternatively, use the below file information to determine if the product 
installation is vulnerable.

CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows,
CA ARCserve Backup r11.1 Windows,
CA ARCserve Backup r11.1 Netware,
CA Protection Suites r2*:

   1. Using Windows Explorer, locate the file "asbrdcst.dll". By default, the 
file is located in the 
"C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS" directory on 32 bit 
systems and 
"C:\Program Files (x86)\CA\SharedComponents\ARCserve Backup\CADS" on 64 bit 
systems.

   2. Right click on the file and select Properties.

   3. Select the General tab.

   4. If the file timestamp is earlier than indicated in the below table, the 
      installation is vulnerable.

* For Protection Suites r2 , use the file timestamp for CA ARCserve Backup 
r11.5 English.

Product Ver   Product Lang  File Name     File Sz Timestamp
                                          (bytes)
12.0 Windows  English       asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Spanish       asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Port-Braz     asbrdcst.dll  320776  05/01/2008 12:11
12.0 Windows  Japanese      asbrdcst.dll  320776  05/01/2008 12:11
12.0 Windows  Italian       asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  German        asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  French        asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Trad Chinese  asbrdcst.dll  316680  05/01/2008 12:11
12.0 Windows  Simp Chinese  asbrdcst.dll  316680  05/01/2008 12:11
11.5 Windows  English       asbrdcst.dll  212992  04/22/2008 10:15:02
11.5 Windows  Japanese      asbrdcst.dll  208896  04/22/2008 14:28:52
11.5 Windows  Simp Chinese  asbrdcst.dll  204800  04/22/2008 14:30:54
11.5 Windows  Trad Chinese  asbrdcst.dll  204800  04/22/2008 14:33:28
11.5 Windows  Italian       asbrdcst.dll  212992  04/22/2008 14:31:46
11.5 Windows  Port-Braz     asbrdcst.dll  212992  04/22/2008 14:53:54
11.5 Windows  German        asbrdcst.dll  212992  04/22/2008 14:27:48
11.5 Windows  French        asbrdcst.dll  212992  04/22/2008 14:26:54
11.5 Windows  Spanish       asbrdcst.dll  212992  04/22/2008 14:32:38
11.1 Windows  English       asbrdcst.dll  204800  04/24/2008 11:21:26
11.1 Windows  Japanese      asbrdcst.dll  200704  04/24/2008 11:25:48
11.1 Windows  Simp Chinese  asbrdcst.dll  196608  04/24/2008 11:27:44
11.1 Windows  Trad Chinese  asbrdcst.dll  196608  04/24/2008 11:30:32
11.1 Windows  Italian       asbrdcst.dll  204800  04/24/2008 11:28:38
11.1 Windows  Port-Braz     asbrdcst.dll  204800  04/24/2008 11:38:52
11.1 Windows  German        asbrdcst.dll  204800  04/24/2008 11:24:38
11.1 Windows  French        asbrdcst.dll  204800  04/24/2008 11:23:38
11.1 Windows  Spanish       asbrdcst.dll  204800  04/24/2008 11:29:34
11.1 Windows  Dutch         asbrdcst.dll  204800  04/24/2008 11:33:24
11.1 Windows  Polish        asbrdcst.dll  204800  04/24/2008 11:38:02
11.1 Windows  Russian       asbrdcst.dll  204800  04/24/2008 11:39:44
11.1 Windows  Turkish       asbrdcst.dll  204800  04/24/2008 11:41:28
11.1 Windows  Norwegian     asbrdcst.dll  204800  04/24/2008 11:37:12
11.1 Windows  Danish        asbrdcst.dll  204800  04/24/2008 11:32:28
11.1 Windows  Czech         asbrdcst.dll  204800  04/24/2008 11:31:28
11.1 Windows  Hungarian     asbrdcst.dll  204800  04/24/2008 11:36:22
11.1 Windows  Swedish       asbrdcst.dll  204800  04/24/2008 11:40:38
11.1 Windows  Finnish       asbrdcst.dll  204800  04/24/2008 11:34:40
11.1 Windows  Greek         asbrdcst.dll  204800  04/24/2008 11:35:32
11.1 Netware  English       asbrdcst.dll  204800  04/24/2008 11:21:26


Solution

CA has issued the following patches to address the vulnerabilities.

CA ARCserve Backup r12.0 Windows:
QO99574

CA ARCserve Backup r11.5 Windows:
QO99575

For CA ARCserve Backup r11.5 Windows, the issue can also be addressed by
applying 11.5 SP4:
QO99129

CA ARCserve Backup r11.1 Windows:
QO99576

CA ARCserve Backup r11.1 Netware:
QO99579

CA Protection Suites r2:
QO99575

Workaround

As a temporary workaround, stop and disable the CA ARCserve Discovery service. 
With the service disabled, deploying agents using Auto-discovery will not 
work.

References

CVE-2008-1979 - casdscsvc denial of service

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technical Support at 
http://support.ca.com.

If you discover a vulnerability in CA products, please report your findings 
to our product security response team
- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSFmzICh9+71yA2DNAQLeAQP/cH5m/m9m2jerzI2sroFZuTgvBBzzLhZY
iuJUPj0iqUzC7yRexBndKJkb7P7gfPrR68ZXACwRC20JIxtf5XRcmZ/MCNqX0jq0
HL96Y+TGBQ56g6b3I1uA69OTA5RmXvNeor3Yd6Emf5LS+EnxIhx4NnfTMxdvn5A8
K2OwQKinzUg=
=xVxI
-----END PGP SIGNATURE-----