CA20090806-01: Security Notice for Data Transport Services

Issued: August 6, 2009

CA's technical support is alerting customers to a security risk with Data Transport Services. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued patches to address the issue.

The vulnerability, CVE-2009-2026, is due to insufficient bounds checking in the dtscore library. An attacker can cause a buffer overflow which can result in the execution of arbitrary code with privileged access.

Risk Rating

High

Platform

Windows

Affected Products

CA Software Delivery r11.2 C1

CA Software Delivery r11.2 C2

CA Software Delivery r11.2 C3

CA Software Delivery r11.2 SP4

Unicenter Software Delivery 4.0 C3

CA Advantage Data Transport 3.0 C1

CA IT Client Manager r12

How to determine if the installation is affected

For Windows:

  1. Using Windows Explorer, locate the file indicated in the below table. By default, the file can be found in the following locations:

    Product File Directory Path
    CA Software Delivery r11.2 C1, C2, C3 dtscore11.dll C:\Program Files\CA\SC\DTS\bin
    CA Software Delivery r11.2 SP4 dtscore11.dll C:\Program Files\CA\SC\DTS\bin
    Unicenter Software Delivery 4.0 C3 dtscore.dll C:\Program Files\CA\SharedComponents\DTS\bin
    CA Advantage Data Transport 3.0 C1 dtscore.dll C:\Program Files\CA\SharedComponents\DTS\bin
    CA IT Client Manager r12 dtscore11.dll C:\Program Files\CA\SC\DTS\bin


  2. Right click on the file and select Properties.

  3. Select the General tab.

  4. If the file date is earlier than indicated in the below table, the installation is vulnerable.

    Product File Name File Size (bytes) File Date
    CA Software Delivery r11.2 C1, C2, C3 dtscore11.dll 218376 THU APR 09 15:02:25 2009
    CA Software Delivery r11.2 SP4 dtscore11.dll 218376 THU APR 09 15:19:47 2009
    Unicenter Software Delivery 4.0 C3 dtscore.dll 167936 FRI FEB 20 08:22:46 2009
    CA Advantage Data Transport 3.0 C1 dtscore.dll 167936 FRI FEB 20 08:22:46 2009
    CA IT Client Manager r12 dtscore11.dll 218376 MON JUL 27 16:00:36 2009

Solution

CA has issued the following patches to address the vulnerabilities.

CA Software Delivery r11.2 C1, C2:

Upgrade to r11.2 C3 and apply RO08984 or upgrade to r11.2 SP4 and apply RO08956.

CA Software Delivery r11.2 C3:
RO08984

CA Software Delivery r11.2 SP4:
RO08956

Unicenter Software Delivery 4.0 C3,
CA Advantage Data Transport 3.0 C1:
RO08976

CA IT Client Manager r12:
RO10086

References

CVE-2009-2026 - dtscore.dll buffer overflow

Acknowledgement

CVE-2009-2026 - Orlando Padilla and Peter Silberman of Breakpoint Security working with ZDI/TippingPoint

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Support at http://support.ca.com/.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing