Security Notice for CA products using the DSM gui_cm_ctrls ActiveX control - CA Technologies
{{search ? 'Close':'Search'}}

Security Notice for CA products using the DSM gui_cm_ctrls ActiveX control

Issued: April 15, 2008

CA's technical support is alerting customers to a security risk in CA products that implement the DSM gui_cm_ctrls ActiveX control. A vulnerability exists that can allow a remote attacker to cause a denial of service or execute arbitrary code. CA has issued updates to address the vulnerability.

The vulnerability, CVE-2008-1786, occurs due to insufficient verification of function arguments by the gui_cm_ctrls control. An attacker can execute arbitrary code under the context of the user running the web browser.

Note:

For BrightStor ARCserve Backup for Laptops & Desktops, only the server installation is affected. Client installations are not affected.

For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and Agents are not affected.

Risk Rating

High

Affected Products

BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C2
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C2
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C2
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C2
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C2
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
CA Desktop and Server Management r11.2 C2
CA Desktop and Server Management r11.2 C1
CA Desktop and Server Management r11.2a
CA Desktop and Server Management r11.2
CA Desktop and Server Management r11.1 (GA, a, C1)

How to determine if the installation is affected

For products on Windows:

  1. Using Windows Explorer, locate the file "gui_cm_ctrls.ocx". By default, the file is in the "C:Program FilesCADSMbin" directory.

  2. Right click on the file and select Properties.

  3. Select the Version tab.

  4. If the file version is earlier than indicated in the below table, the installation is vulnerable.
Product File Name File Version
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1),
CA Desktop and Server Management r11.1 (GA, a, C1)
gui_cm_ctrls.ocx 11.1.8124.2517
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2,
CA Desktop and Server Management r11.2
gui_cm_ctrls.ocx 11.2.2.4332
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a,
CA Desktop and Server Management r11.2a
gui_cm_ctrls.ocx 11.2.3.1896
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1,
BrightStor ARCserve Backup for Laptops and Desktops r11.5,
CA Desktop and Server Management r11.2 C1
gui_cm_ctrls.ocx 11.2.1000.17
CA Desktop Management Suite for Windows r11.2 C2,
Unicenter Desktop Management Bundle r11.2 C2,
Unicenter Asset Management r11.2 C2,
Unicenter Software Delivery r11.2 C2,
Unicenter Remote Control r11.2 C2,
CA Desktop and Server Management r11.2 C2
gui_cm_ctrls.ocx 11.2.2000.4

 

Solution

CA has provided the following updates to address the vulnerabilities.

BrightStor ARCserve Backup for Laptops and Desktops r11.5:
QI96333

CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1):
QO96283

CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a:
QO96286

CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2:
QO96285

CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1:
QO96284

CA Desktop Management Suite for Windows r11.2 C2,
Unicenter Desktop Management Bundle r11.2 C2,
Unicenter Asset Management r11.2 C2,
Unicenter Software Delivery r11.2 C2,
Unicenter Remote Control r11.2 C2:
QO99084

CA Desktop and Server Management r11.2 C2:
QO99080

CA Desktop and Server Management r11.2 C1:
QO96288

CA Desktop and Server Management r11.2a:
QO96290

CA Desktop and Server Management r11.2:
QO96289

CA Desktop and Server Management r11.1 (GA, a, C1):
QO96287

Workaround

As a temporary workaround solution, disable the gui_cm_ctrls ActiveX control in the registry by setting the kill bit on CLSID %7BE6239EB3-E0B0-46DA-A215-CFA9B3B740C5%7D. Disabling the control may prevent the GUI from functioning correctly.

Refer to Microsoft KB article 240797 for information on how to disable an ActiveX control.

References

CVE-2008-1786 - DSM gui_cm_ctrls ActiveX control code execution

Acknowledgements

CVE-2008-1786 Greg Linares of eEye Digital Security

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technical Support at https://support.ca.com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at  http://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/contact-information-for-ca-product-vulnerability-response-team.html.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing