DM Deployment Common Component Security Notice Frequently Asked Questions - CA Technologies
{{search ? 'Close':'Search'}}

DM Deployment Common Component
Security Notice
Frequently Asked Questions

Last Updated: January 05, 2006

What is DM Primer?

DM Primer is part of the DM Deployment Common Component, and is used to facilitate the installation of products to remote systems. Using the DM Sweep utility it is possible to push the DM Primer to a remote system (or systems), install it as a Windows Service and start it so that it enters a listening state, ready to receive product deployment requests.


Where is DM Primer installed?

The DM Primer install location is recorded in the Windows Registry at the following location

HKEY_LOCAL_MACHINESOFTWAREComputerAssociatesDesktop Common ServicesDMPrimerInstallPath


How do I determine the version of DM Primer?

Locate 'dmprimer.exe' and then run the 'dmprimer -v' command in a DOS window. This will display a popup window showing the version of DM Primer. E.g.

Figure1

An alternative, if you have a DM Deployment manager machine, is to run the 'dmsweep -a1:<machine|ipaddress>' command to query a machine or IP address, e.g.

      dmsweep -a1:mypcname         -- Sweeping mypcname ; subnet mask: 255.255.255.0 --          ------------------------------------------------------------------------------        Product   :Object(Version)      :Computer      :Address         :Attached Addr        ------------------------------------------------------------------------------        DM        :DMPrimer(1.4.155)    :MYPCNAME      :192.168.0.1     :    
-- DMSweep completed --

This command can be run against an entire subnet or a portion of a subnet, e.g.

      dmsweep -a1:192.168.*.* 

would query every ip address in the range 192.168.0.1 through to 192.168.255.254. To run against a portion of a subnet, use the "-a2:" argument to specify the end ip address, e.g.

      dmsweep -a1:192.168.0.1 -a2:192.168.0.100 

would query every ip address in the range 192.168.0.1 through to 192.168.0.100


How can I determinine if DM Primer is running:

Locally : There are a number of ways of checking if DM Primer is running on a system. These are listed below:-

  1. Use the Windows Task Manager to check for a running process called 'dmprimer.exe'
  2. Use the 'NET START' DOS command to list all the running Services and look for one called 'DM Primer'
  3. Use the 'TASKLIST /SVC' DOS command to list all running Services and look for 'dmprimer.exe'
  4. Use the 'SC QUERY DMPRIMER' DOS command (may require to be installed from the Windows Resource Kit) to list the current status of the DMPrimer service - it should produce output like
     SERVICE_NAME: DMPRIMER               TYPE               : 110  WIN32_OWN_PROCESS (interactive)               STATE              : 4  RUNNING                                       (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)               WIN32_EXIT_CODE    : 0  (0x0)               SERVICE_EXIT_CODE  : 0  (0x0)               CHECKPOINT         : 0x0               WAIT_HINT          : 0x0 

Remotely : There are a number of ways of checking if DM Primer is running on a remote system. These are listed below:-

Use the 'dmsweep -a1:' command from a DOS window on a system which hosts the DM deployment manager as follows:
     dmsweep -a1:mypcname          -- Sweeping mypcname ; subnet mask: 255.255.255.0 --          ------------------------------------------------------------------------------       Product   :Object(Version)      :Computer      :Address         :Attached Addr       ------------------------------------------------------------------------------       DM        :DMPrimer(1.4.155)    :MYPCNAME      :192.168.0.1     :          -- DMSweep completed -- 

Use the 'TASKLIST /S <remote> /SVC' DOS command to list all running Services on a remote system and look for 'dmprimer.exe', e.g.

TASKLIST /S mypcname /SVC 

I have a very large environment with hundreds / thousands of machines. How do I confirm which ones have this vulnerability?

With Unicenter Asset Management, upgrade the Application Definition component to the latest version. Based on version information regarding this vulnerability, you can design reports to provide this information. An alternative is to use the dmsweep utility, as described in the Security Notice, to query the installation/version/running status of DM Primer across your enterprise.


Can this vulnerability be detected using Unicenter Asset Management (UAM/AMO)?

Yes. The latest Unicenter Asset Management definitions can be used to detect this vulnerability.

See UAM Tech Document ID: %7BTEC358383 needs updating%7D for download notice.


Is the version of DM Primer that is installed with Unicenter Desktop Server Management (DSM) vulnerable?

No. DM Primer v11.0, which ships with Unicenter DSM, does not contain these security vulnerabilities.


If DM Primer is simply used for deploying products, why is it still running after the installation of those products have been completed?

DM Primer is installed as a common component. It is left running in order that it can be utilised by future products/upgrades as a means of deploying those products/upgrades without first having to reinstall DM Primer. It is also possible to query the installed/running DM Primer service to determine which products have been distributed/installed through it.


Does shutting down/stopping the DM Primer service address the vulnerability?

Yes, stopping the DM Primer service completely addresses the vulnerability.


What functionality am I losing if I shutdown/stop the DM Primer service?

The DM Primer service provides the ability for installing/upgrading those CA products that support DM Deployment and the ability to report on what has been installed through the DM Deployment mechanism. By shutting down the DM Primer service you will be shutting down this functionality. This functionality will be restored if the services is restarted.


If I've finished using the DM Deployment manager, can I remove the DM Primer service from those remote systems?

Yes. The dmsweep utility allows you to signal a remote DM Primer service to remove itself. This will result in the service and the DM Primer installation being removed from that remote system. One of the following commands should be used depending upon whether you are targeting a single machine or a range of machines:

      dmsweep -a1:192.168.0.100 -dp:force 

will forcibly remove DM Primer from the machine with ip address 192.168.0.100,

      dmsweep -a1:192.168.0.* -dp:force 

will forcibly remove DM Primer from all machines on the 192.168.0.* subnet,

      dmsweep -a1:192.168.0.1 -a2:192.168.0.100 -dp:force 

will forcibly remove DM Primer from all machines in the range 192.168.0.1-192.168.0.100.


How would I know that DM Primer is the subject of a Denial of Service (DoS) attack? In other words, how would I tell that DM Primer was possibly under attack?

If DM Primer was the subject of on of the DoS attacks then you would either see it become unresponsive - it would not respond to dmsweep commands - or you would see high CPU utilisation and rapid growth of its log file (which would be located in the directory specified in the following Registry key:

HKEY_LOCAL_MACHINESOFTWAREComputerAssociatesDesktop Common ServicesDMPrimerInstallPath


Is SD Primer (from Unicenter Software Delivery) the same as, or related to, DM Primer?

No. Although SD Primer utilises the same mechanism for installing the primer on the remote target machine, this is where the similarity ends. SD Primer utilises a different file transfer mechanism and, more importantly, once the SD Agent has been installed, it will shutdown and remove itself. i.e. SD Primer only persists for the duration of the deployment after which time it will remove itself. In addition, SD Primer does not contain these vulnerabilities.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing