[Full-disclosure] CA20140218-01: Security Notice for CA 2E Web Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20140218-01: Security Notice for CA 2E Web Option Issued: February 18, 2014 CA Technologies Support is alerting customers to a potential risk in CA 2E Web Option (C2WEB). A vulnerability exists that can allow an attacker to exploit an authentication weakness and execute a session prediction attack. The vulnerability, CVE-2014-1219, is due to a predictable session token. An unauthenticated attacker can manipulate a session token to gain privileged access to a valid session. CA Technologies has issued fixes to address the vulnerability. Risk Rating High Affected Platforms IBM i Affected Products CA 2E Web Option r8.5 CA 2E Web Option r8.5 + PTF 1 CA 2E Web Option r8.6 CA 2E Web Option r8.6 + PTF B Note that the vulnerable version reported by Portcullis, r8.1.2, reached End of Service (EOS) on April 10, 2013 and is no longer supported. Customers can find the CA 2E r8.1, r8.1 SP1 and r8.1 SP2 End of Service Announcement, dated April 10, 2012, on the CA Support website. Non-Affected Products None (i.e. all supported versions of CA 2E Web Option are affected) How to determine if the installation is affected All supported versions of CA 2E Web Option are affected by this vulnerability. To determine if the fix for this vulnerability has been applied, refer to the guidance below for each supported version. CA 2E Web Option r8.5: The existence of the data area YHFM55861 in PTF library YW8501254 will indicate that this solution has been applied. CA 2E Web Option r8.6: The existence of the data area YHFM55865 in PTF library YW860B254 will indicate that this solution has been applied. Solution CA Technologies has issued the following fixes to address the vulnerability. CA 2E Web Option r8.5: RO67583 CA 2E Web Option r8.6: RO67569 Workaround None References CVE-2014-1219 - CA 2E Web Option Session Prediction Vulnerability CA20140218-01: Security Notice for CA 2E Web Option https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Acknowledgement CVE-2014-1219 - Portcullis Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams CA Technologies Director, Product Vulnerability Response Team ken.willi...@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wj8DBQFTA9mXeSWR3+KUGYURAkNJAJ9AuzNLh8ZUGQuwwHVlGvBO9QfQ6ACeO8xG bFkm420IatsvgNIBBPmUhpg= =Hgof -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CVE-2014-1219 - Unauthenticated Privilege Escalation in CA 2E Web Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Date: Wed, 12 Feb 2014 15:59:34 - From: Portcullis Advisories advisor...@portcullis-security.com [snip] Vulnerability title: Unauthenticated Privilege Escalation in CA 2E Web Option CVE: CVE-2014-1219 Vendor: CA Product: 2E Web Option Affected version: 8.1.2 [snip] CA Technologies is currently investigating a vulnerability report concerning CA 2E Web Option that was published publicly on 2014-02-11 (CVE-2014-1219). This statement can be found at http://blogs.ca.com/securityresponse/2014/02/13/ Note that r8.1.2 reached End of Service (EOS) on April 10, 2013 and is no longer supported. Customers can find the End of Service Announcement, dated April 10, 2012, on the CA Support website. https://support.ca.com/ Thanks and regards, Ken Williams, Director CA Technologies Product Vulnerability Response Team CA Technologies Business Unit Operations ken.willi...@ca.com Copyright (C) 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.1 (Build 13100) Charset: utf-8 wj8DBQFS/QaPeSWR3+KUGYURApj7AKCX/WOzON/8X9BgbQk4Siz/bDtGBQCeIO8S VrgYM0oZD2rTLdIN0aje5to= =AjzU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20121220-01: Security Notice for CA IdentityMinder [updated]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CA20121220-01: Security Notice for CA IdentityMinder
Issued: December 20, 2012
Updated: January 18, 2013
CA Technologies Support is alerting customers to two potential risks in CA
IdentityMinder (formerly known as CA Identity Manager). Two
vulnerabilities exist that can allow a remote attacker to execute
arbitrary commands, manipulate data, or gain elevated access. CA
Technologies has issued patches to address the vulnerabilities.
The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.
The second vulnerability, CVE-2012-6299, allows a remote attacker to gain
elevated access.
Risk Rating
High
Affected Platforms
All
Affected Products
CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA
Non-Affected Products
None (i.e. all supported versions of CA IdentityMinder are vulnerable)
How to determine if the installation is affected
All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA
are vulnerable.
You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files (the jar files
are created in the patch output sub-folder structure in the root folder
from which you have run the patch utility):
CA IdentityMinder r12.0 CR16 and earlier – user_console.jar
CA IdentityMinder r12.5 SP1 thru SP6 – user_console.jar
CA IdentityMinder r12.5 SP7 thru SP14 – user_console.jar imsapi6.jar
CA IdentityMinder r12.6 GA – user_console.jar imsapi6.jar
The dates on these jar files will be set to the date on which the patch was
applied.
Solution
CA Technologies has issued the following patches to address the
vulnerabilities. Download the appropriate patch(es) and follow the
instructions in the readme.txt file. These patches can be applied to all
operating system platforms.
12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip
12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip
12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip
12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip
12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip
12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip
12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip
12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip
12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip
12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip
12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip
12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip
12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip
12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip
12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip
12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip
Workaround
None
References
CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate
data
CVE-2012-6299 - CA IdentityMinder gain elevated access
CA20121220-01: Security Notice for CA IdentityMinder
(URL may wrap)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B
61-3A68-4506-9876-F845F6DD8A93}
Acknowledgement
CVE-2012-6298 - Discovered internally by CA Technologies
CVE-2012-6299 - Discovered internally by CA Technologies
Change History
Version 1.0: Initial Release
Version 1.1: Revised the section entitled How to determine if the
installation is affected.
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please report
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
CA Technologies Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com
Copyright (C) 2013 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFQ+dCzeSWR3+KUGYURAnGbAJ9yscNDhny2rCY2X4qS6g/YtOtM6QCffyTw
tZL1z2lAQhkrxdDNzN9tyzs=
=rNug
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20121220-01: Security Notice for CA IdentityMinder
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CA20121220-01: Security Notice for CA IdentityMinder
Issued: December 20, 2012
CA Technologies Support is alerting customers to two potential risks in CA
IdentityMinder (formerly known as CA Identity Manager). Two
vulnerabilities exist that can allow a remote attacker to execute arbitrary
commands, manipulate data, or gain elevated access. CA Technologies has
issued patches to address the vulnerability.
The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.
The second vulnerability, CVE-2012-6299, allows a remote attacker to gain
elevated access.
Risk Rating
High
Affected Platforms
All
Affected Products
CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA
Non-Affected Products
None (i.e. all supported versions of CA IdentityMinder are vulnerable)
How to determine if the installation is affected
All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA
are vulnerable.
You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files: imsapi6.jar
and ims.jar. The dates on these jars will be set to the dates on which the
patch was applied.
Solution
CA Technologies has issued the following patches to address the
vulnerabilities. Download the appropriate patch(es) and follow the
instructions in the readme.txt file. These patches can be applied to all
operating system platforms.
12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip
12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip
12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip
12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip
12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip
12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip
12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip
12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip
12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip
12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip
12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip
12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip
12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip
12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip
12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip
12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip
Workaround
None
References
CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate
data
CVE-2012-6299 - CA IdentityMinder gain elevated access
CA20121220-01: Security Notice for CA IdentityMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B
61-3A68-4506-9876-F845F6DD8A93}
Acknowledgement
CVE-2012-6298 - Discovered internally by CA Technologies
CVE-2012-6299 - Discovered internally by CA Technologies
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please report
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com
Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFQ04dQeSWR3+KUGYURAoIZAJ9QibJh7LUweVUQzvBstoWWeDV5eQCfSG1A
YK0Og3SiMtIHOoA6JWE1vTA=
=Wlax
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20121001-01: Security Notice for CA License
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20121001-01: Security Notice for CA License Issued: October 01, 2012 CA Technologies Support is alerting customers to two potential risks in CA License (also known as CA Licensing). Vulnerabilities exist that can allow a local attacker to execute arbitrary commands or gain elevated access. CA Technologies has issued patches to address the vulnerabilities. The first vulnerability, CVE-2012-0691, occurs due to insecure use of system commands. An unprivileged user can exploit this vulnerability to execute commands with system or administrator privileges. The second vulnerability, CVE-2012-0692, occurs due to inadequate user validation. An unprivileged user can exploit this vulnerability to create or modify arbitrary files and gain elevated access. Risk Rating High Affected Platforms AIX 5.x DEC HP-UX Linux Mac OS X Solaris Windows Affected Products CA Aion Business Rules Expert r11.0 CA ARCserve Backup r12.5, r15, r16 CA ARCserve Central Protection Manager r16 CA ARCserve Central Reporting r16 CA ARCserve D2D r15, r16, r16 On Demand CA ARCserve Central Host Based VM Backup (formerly CA ARCserve Host Based VM Backup) r16 CA ARCserve Central Virtual Standby (formerly CA ARCserve Virtual Conversion Manager) r16 CA Automation Point r11.2, r11.3 CA Client Automation (formerly CA Desktop and Server Management) r12.0, r12.0 SP1, r12.5 CA Common Services (CCS) r11.2 SP2 CA ControlMinder (formerly CA Access Control) 12.5, 12.6 CA ControlMinder for Virtual Environments (formerly CA Access Control for Virtual Environments) 2.0 CA Database Management r11.3, r11.4, r11.5 CA Directory 8.1 CA Easytrieve for Windows and UNIX 11.0, 11.1 CA Easytrieve for Linux PC 11.6 CA Erwin Data Modeler r7.x CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5 CA Gen r8 CA IdentityMinder (formerly CA Identity Manager) r12 CR16 and earlier CA Insight Database Performance Manager 11.3, 11.4, 11.5 CA IT Asset Manager (ITAM) r12.6 and earlier CA IT Client Manager r12.0, r12.0 SP1, r12.5 CA IT Inventory Manager r12.0, r12.0 SP1, r12.5 CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2 CA Output Management Web Viewer 11.5 CA Plex r6, r6.1 CA Repository for Distributed Systems r2.3 CA Service Accounting r12.5, r12.6 CA Service Catalog r12.5, r12.6 CA Service Desk Manager r12.1, r12.5, r12.6 CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3 CA Software Compliance Manager r12.0, r12.6 CA Storage Resource Manager (SRM) 11.8, 12.6 CA TSreorg for Distributed Databases 11.3, 11.4, 11.5 CA Unicenter Asset Portfolio Management r11.3, r11.3.4, r12.6 CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3 CA Workload Automation DE r11.3 CA XCOM Data Transport Gateway PC Linux r11.5 CA XCOM Data Transport Gateway Windows r11.5 CA XCOM Data Transport for PC Linux r11.5 CA XCOM Data Transport for Windows r11.5 CA XCOM Data Transport Management Center for PC Linux r11.5 CA XCOM Data Transport Management Center for Windows r11.5 Affected Components CA License 1.90.02 and earlier Non-Affected Products CA ControlMinder (formerly CA Access Control) 12.6 SP1 CA Client Automation 12.5 SP1 CA Directory r12.0 SP1 or later CA Gen r8.5 CA IdentityMinder (formerly CA Identity Manager) r12.5 CA IT Client Manager r12.5.SP1 CA IT Inventory Manager r12.5.SP1 CA Plex r7.0 CA Service Accounting r12.7 CA Service Catalog r12.7 CA Service Desk Manager r12.7 CA Single Sign-On (SSO) r12.1 CR5 CA Storage Resource Manager (SRM) 12.6 SP1 CA Workload Automation DE r11.1 (does not use CA License) Non-Affected Components CA License 1.90.03 or later How to determine if the installation is affected All versions of CA License before 1.90.03 are vulnerable. The installed version of CA License can be obtained by using the “lic98version” program. Lic98version retrieves the version of CA License installed on a machine along with the version of specific individual files. The version information is written to the lic98version.log file located in the CA License installation location, and is also displayed on the console. Solution CA has issued patches to address the vulnerability. For all CA product installations on Linux, please note these Linux-specific instructions: 1. First, make backups of the ca.olf file and the lic98.dat file. 2. Uninstall the existing/old version of CA License. 3. Perform the installation of CA License 1.90.04. 4. Confirm the successful installation of 1.9.04, and then replace the existing ca.olf file and lic98.dat file with the files you backed up in step 1. If additional information is required, please contact CA Technologies Support at https://support.ca.com/ CA Aion Business Rules Expert r11.0: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms:
[Full-disclosure] CA20111208-01: Security Notice for CA SiteMinder [updated]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CA20111208-01: Security Notice for CA SiteMinder
Issued: December 08, 2011
Updated: August 22, 2012
CA Technologies Support is alerting customers to a potential risk in
CA SiteMinder, CA Federation Manager, CA SOA Security Manager, CA
SiteMinder Secure Proxy Server, and CA SiteMinder SharePoint Agent. A
vulnerability exists that can allow a malicious user to execute a
reflected cross site scripting (XSS) attack. CA Technologies has
issued patches to address the vulnerability.
The vulnerability, CVE-2011-4054, occurs due to insufficient
validation of postpreservationdata parameter input utilized in the
login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim's browser.
Risk Rating
Medium
Platform
All
Affected Products
CA SiteMinder R6 SP6 CR7 and earlier
CA SiteMinder R12 SP3 CR8 and earlier
CA Federation Manager 12.1 SP3 and earlier
CA SOA Security Manager 12.1 SP3 and earlier
CA SiteMinder Secure Proxy Server 12.0 SP3 and earlier
CA SiteMinder Secure Proxy Server 6.0 SP3 and earlier
CA SiteMinder SharePoint Agent 12.0 SP3 and earlier
Non-Affected Products
CA SiteMinder R6 SP6 CR8
CA SiteMinder R12 SP3 CR9
CA Federation Manager 12.1 SP3 CR00.1
CA SOA Security Manager 12.1 SP3 CR01.1
CA SiteMinder Secure Proxy Server 12.0 SP3 CR01.1
CA SiteMinder Secure Proxy Server 6.0 SP3 CR07.1
CA SiteMinder SharePoint Agent 12.0 SP3 CR0.1
How to determine if the installation is affected
Check the Web Agent log or Installation log to obtain the installed
release version. Note that the webagent.log file name is
configurable by the SiteMinder administrator.
Solution
CA has issued patches to address the vulnerability.
CA SiteMinder R6:
Upgrade to R6 SP6 CR8 or later
CA SiteMinder R12:
Upgrade to R12 SP3 CR9 or later
CA Federation Manager 12.1 SP3:
Apply fix RS47435
CA SOA Security Manager 12.1 SP3:
Apply fix RS47436
CA SiteMinder Secure Proxy Server 12.0 SP3:
Apply fix RS47431
CA SiteMinder Secure Proxy Server 6.0 SP3:
Apply fix RS47432
CA SiteMinder SharePoint Agent 12.0 SP3:
Apply fix RS47433
CR releases can be found on the CA SiteMinder Hotfix/Cumulative
Release page (URL may wrap):
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E
29-C3DE-405E-9151-9EEA72D965CE}.
Workaround
None
References
CVE-2011-4054 - CA SiteMinder login.fcc XSS
Acknowledgement
CVE-2011-4054 - Jon Passki of Aspect Security, via CERT
Change History
Version 1.0: Initial Release
Version 1.1: Updated R6 fix information
Version 1.2: Added information for Federation Manager, SOA Security
Manager, SiteMinder Secure Proxy Server, SiteMinder SharePoint Agent
If additional information is required, please contact CA Technologies
Support at https://support.ca.com.
If you discover a vulnerability in a CA Technologies product, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFQO7sGeSWR3+KUGYURAvlVAJwNzRfo5NORDDMQhau8SfLHOGnMqACfYEfY
xM1DGynkf5e0fdgSVhvVYGM=
=JTJo
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20111208-01: Security Notice for CA SiteMinder
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CA20111208-01: Security Notice for CA SiteMinder
Issued: December 08, 2011
CA Technologies Support is alerting customers to a potential risk in
CA SiteMinder. A vulnerability exists that can allow a malicious user
to execute a reflected cross site scripting (XSS) attack. CA
Technologies has issued patches to address the vulnerability.
The vulnerability, CVE-2011-4054, occurs due to insufficient
validation of postpreservationdata parameter input utilized in the
login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim’s browser.
Risk Rating
Medium
Platform
All
Affected Products
CA SiteMinder R6 SP6 CR7 and earlier
CA SiteMinder R12 SP3 CR8 and earlier
Non-Affected Products
CA SiteMinder R6 SP6 CR8
CA SiteMinder R12 SP3 CR9
How to determine if the installation is affected
Check the Web Agent log or Installation log to obtain the installed
release version. Note that the webagent.log file name is
configurable by the SiteMinder administrator.
Solution
CA is issuing patches to address the vulnerability.
CA SiteMinder R6:
Upgrade to R6 SP6 CR8 or later (Expected Availability: January 2012)
CA SiteMinder R12:
Upgrade to R12 SP3 CR9 or later
CR releases can be found on the CA SiteMinder
Hotfix/Cumulative Release page:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E
29-C3DE-405E-9151-9EEA72D965CE}.
Workaround
None
References
CVE-2011-4054 - CA SiteMinder login.fcc XSS
Acknowledgement
CVE-2011-4054 - Jon Passki of Aspect Security, via CERT
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA
Technologies Support at https://support.ca.com.
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFO4glXeSWR3+KUGYURAotyAJ4nT1pij7Nb2uOCKgXnhGvK5If7DgCfX5ht
GdIeR80Ie/6he0y0K5uQLoQ=
=U3C2
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20110809-01: Security Notice for CA ARCserve D2D
CA20110809-01: Security Notice for CA ARCserve D2D Issued: August 9, 2011 CA Technologies support is alerting customers to a security risk associated with CA ARCserve D2D. A vulnerability exists that can allow a remote attacker to access credentials and execute arbitrary commands. CA Technologies has issued a patch to address the vulnerability. The vulnerability, CVE-2011-3011, is due to improper session handling. A remote attacker can access credentials and execute arbitrary commands. Risk Rating High Platform Windows Affected Products CA ARCserve D2D r15 How to determine if the installation is affected Search under TOMCAT directory for BaseServiceImpl.class, and if the date is earlier than August 03, 2011, then you should apply fix RO33517. Solution CA has issued a patch to address the vulnerability. CA ARCserve D2D r15: RO33517 Workaround None References CVE-2011-3011 - CA ARCserve D2D session handling vulnerability Acknowledgement None Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at support.ca.com If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilja22 @ ca.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CA20110420-02: Security Notice for CA Output Management Web Viewer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20110420-01: Security Notice for CA SiteMinder Issued: April 20, 2011 Updated: May 19, 2011 CA Technologies support is alerting customers to a security risk associated with CA SiteMinder. A vulnerability exists that can allow a malicious user to impersonate another user. CA Technologies has issued patches to address the vulnerability. The vulnerability, CVE-2011-1718, is due to improper handling of multi-line headers. A malicious user can send specially crafted data to impersonate another user. Risk Rating Medium Platform Windows Affected Products CA SiteMinder R6 IIS 6.0 Web Agents prior to R6 SP6 CR2 CA SiteMinder R12 IIS 6.0 Web Agents prior to R12 SP3 CR2 How to determine if the installation is affected Check the Web Agent log to obtain the installed release version. Note that the webagent.log file name is configurable by the SiteMinder administrator. Solution CA has issued patches to address the vulnerability. CA SiteMinder R6: Upgrade to R6 SP6 CR2 or later CA SiteMinder R12: Upgrade to R12 SP3 CR2 or later CR releases can be found on the CA SiteMinder Hotfix / Cumulative Release page: (URL may wrap) support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/5262/5262_fixinde x.h tml References CVE-2011-1718 - CA SiteMinder Multi-line Header Vulnerability Acknowledgement April King (ap...@twoevils.org) Change History Version 1.0: Initial Release Version 1.1: Updated Affected Products section to clarify that only the IIS 6.0 Web Agents are affected. ISS 7 is not affected by this issue. If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFN1UDNeSWR3+KUGYURAuwVAJ4imZZZtXVKli8gWinrjky3gheQCwCghM/N 69B1MXsPDg5Gt3ICQg4U7vc= =uuIC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20110420-02: Security Notice for CA Output Management Web Viewer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20110420-02: Security Notice for CA Output Management Web Viewer Issued: April 20, 2011 CA Technologies support is alerting customers to security risks associated with CA Output Management Web Viewer. Two vulnerabilities exist that can allow a remote attacker to execute arbitrary code. CA Technologies has issued patches to address the vulnerabilities. The vulnerabilities, CVE-2011-1719, are due to boundary errors in the UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote attacker can create a specially crafted web page to exploit the flaws and potentially execute arbitrary code. Risk Rating High Platform Windows Affected Products CA Output Management Web Viewer 11.0 CA Output Management Web Viewer 11.5 How to determine if the installation is affected If the end-user controls are at a version that is less than the versions listed below, the installation is vulnerable. File Name Version UOMWV_HelperActiveX.ocx 11.5.0.1 PPSView.ocx 1.0.0.7 Solution CA has issued the following patches to address the vulnerability. CA Output Management Web Viewer 11.0: Apply the RO29119 APAR, and then have end-users allow updated controls to be installed (on next attempt to use impacted feature). CA Output Management Web Viewer 11.5: Apply the RO29120 APAR, and then have end-users allow updated controls to be installed (on next attempt to use impacted feature). References CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer Overflows Acknowledgement Dmitriy Pletnev, Secunia Research Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilj...@ca.com -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj4DBQFNr5KCeSWR3+KUGYURAseNAKCUFddGhEHrb3JBUABbqWWvGgvZTQCY9nHy V9Eya1SCGQ8B2kt6v50jNw== =Y75y -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20110420-01: Security Notice for CA SiteMinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20110420-01: Security Notice for CA SiteMinder Issued: April 20, 2011 CA Technologies support is alerting customers to a security risk associated with CA SiteMinder. A vulnerability exists that can allow a malicious user to impersonate another user. CA Technologies has issued patches to address the vulnerability. The vulnerability, CVE-2011-1718, is due to improper handling of multi-line headers. A malicious user can send specially crafted data to impersonate another user. Risk Rating Medium Platform Windows Affected Products CA SiteMinder R6 Web Agents prior to R6 SP6 CR2 CA SiteMinder R12 Web Agents prior to R12 SP3 CR2 How to determine if the installation is affected Check the Web Agent log to obtain the installed release version. Note that the webagent.log file name is configurable by the SiteMinder administrator. Solution CA has issued patches to address the vulnerability. CA SiteMinder R6: Upgrade to R6 SP6 CR2 or later CA SiteMinder R12: Upgrade to R12 SP3 CR2 or later CR releases can be found on the CA SiteMinder Hotfix / Cumulative Release page: (URL may wrap) support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/5262/5262_fixinde x.h tml References CVE-2011-1718 - CA SiteMinder Multi-line Header Vulnerability Acknowledgement April King (ap...@twoevils.org) Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj4DBQFNr6uXeSWR3+KUGYURAvcnAKCVdxdKNawQQC/M/wK9tDk5gD6jzQCTByZ/ X9MjXhbKg9eeMFDPXdrxlA== =nwb+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention System
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention System Issued: February 23, 2011 Updated: February 24, 2011 CA Technologies support is alerting customers to a security risk associated with CA Host-Based Intrusion Prevention System (HIPS). A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA Technologies has issued patches to address the vulnerability. The vulnerability, CVE-2011-1036, is due to insecure method implementation in the XMLSecDB ActiveX control that is utilized in CA HIPS components and products. A remote attacker can potentially execute arbitrary code if he can trick a user into visiting a malicious web page or opening a malicious file. Risk Rating Medium Platform Windows Affected Products CA Host-Based Intrusion Prevention System (HIPS) r8.1 CA Internet Security Suite (ISS) 2010 CA Internet Security Suite (ISS) 2011 How to determine if the installation is affected HIPS Management Server is vulnerable if the version number is less than 8.1.0.88. HIPS client sources are vulnerable if the build number is less than 1.6.450. CA Internet Security Suite (ISS) 2010 is vulnerable if the ISS product version is equal to or less than 6.0.0.285 and the HIPS version is equal to or less than 1.6.384. CA Internet Security Suite (ISS) 2011 is vulnerable if the ISS product version is equal to or less than 7.0.0.115 and the HIPS version is equal to or less than 1.6.418. Older versions of HIPS and ISS, that are no longer supported, may also be vulnerable. Solution CA has issued the following patches to address the vulnerability. CA Host-Based Intrusion Prevention System (HIPS) r8.1: RO26950 Apply RO26950 and set the DWORD ProtectParser under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmxCfg to 1. You do not need to restart the client. CA Internet Security Suite (ISS) 2010: Fix information will be published soon. CA Internet Security Suite (ISS) 2011: Fix information will be published soon. References CVE-2011-1036 - CA HIPS XMLSecDB ActiveX control insecure methods Acknowledgement Andrea Micalizzi aka rgod, via TippingPoint ZDI Change History Version 1.0: Initial Release Version 1.5: Added ISS 2011 to list of affected products. Added instructions for determining if ISS is affected. If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilj...@ca.com -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFNZypeeSWR3+KUGYURAmbuAJ9tD5x666uOpX6ia6ksu4rdnksyggCfSwCn kb1ylRiLIRzRg3j1VygjImQ= =M+5z -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20101231-01: Security Notice for CA ARCserve D2D (updated)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20101231-01: Security Notice for CA ARCserve D2D Issued: December 31, 2010 Last Updated: January 26, 2011 CA Technologies support is alerting customers to a security risk with CA ARCserve D2D. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued an Information Solution to address the vulnerability. The vulnerability is due to default vulnerabilities inherent in the Tomcat and Axis2 3rd party software components. A remote attacker can exploit the implementation to execute arbitrary code. Risk Rating High Platform Windows Affected Products CA ARCserve D2D r15 How to determine if the installation is affected Using Windows Explorer, go to the directory D2D_HOME\TOMCAT\webapps\WebServiceImpl, and look for the existence of a folder called axis2-web. Solution CA has issued the following patch to address the vulnerability. CA ARCserve D2D r15: RO26040 If you are not able to apply the patch at this time, the following workaround can be implemented to address the vulnerability. 1. Stop CA ARCserve D2D Web Service from service control manager. 2. Go to the directory D2D_HOME\TOMCAT\webapps\WebServiceImpl, and remove the folder axis2-web. 3. Edit D2D_HOME\TOMCAT\webapps\WebServiceImpl\WEB-INF\web.xml, and remove the content of AxisAdminServlet's servlet and servlet mapping. The content to remove will look like the text below: - servlet display-nameApache-Axis Admin Servlet Web Admin/display-\ name servlet-nameAxisAdminServlet/servlet-name servlet-classorg.apache.axis2.transport.http.\ AxisAdminServlet/servlet-class load-on-startup100/load-on-startup /servlet - servlet-mapping servlet-nameAxisAdminServlet/servlet-name url-pattern/axis2-admin/*/url-pattern /servlet-mapping 4. Change the username and password parameters in the axis2.xml file to stronger credentials that conform to your organization's password policies. D2D_HOME\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml parameter name=userNameadmin/parameter parameter name=passwordaxis2/parameter 5. Start CA ARCserve D2D Web Service. References CVE-201X- - CVE Reference Pending CA ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet Code Execution Vulnerability Poc Dec 30 2010 11:04AM http://www.securityfocus.com/archive/1/515494/30/0/threaded http://marc.info/?l=bugtraqm=129373168501496w=2 Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet Code Execution Vulnerability Poc http://retrogod.altervista.org/9sg_ca_d2d.html Acknowledgement rgod Change History Version 1.0: Initial Release Version 2.0: Added patch information If additional information is required, please contact CA Technologies Support at https://support.ca.com If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilj...@ca.com -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFNQeWgeSWR3+KUGYURAmdOAJwMqjF7lfNulYGlU9kpBC0/7G7E7gCfSO3z 5v7+N15N6Gbuds7+vrMbRRk= =zbTD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20101231-01: Security Notice for CA ARCserve D2D
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20101231-01: Security Notice for CA ARCserve D2D Issued: December 31, 2010 CA Technologies support is alerting customers to a security risk with CA ARCserve D2D. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued an Information Solution to address the vulnerability. The vulnerability is due to default vulnerabilities inherent in the Tomcat and Axis2 3rd party software components. A remote attacker can exploit the implementation to execute arbitrary code. Risk Rating High Platform Windows Affected Products CA ARCserve D2D r15 How to determine if the installation is affected Using Windows Explorer, go to the directory D2D_HOME\TOMCAT\webapps\WebServiceImpl, and look for the existence of a folder called axis2-web. Solution A permanent solution will be posted soon at https://support.ca.com/ In the meantime, the following workaround can be implemented to address the vulnerability. 1. Stop CA ARCserve D2D Web Service from service control manager. 2. Go to the directory D2D_HOME\TOMCAT\webapps\WebServiceImpl, and remove the folder axis2-web. 3. Edit D2D_HOME\TOMCAT\webapps\WebServiceImpl\WEB-INF\web.xml, and remove the content of AxisAdminServlet's servlet and servlet mapping. The content to remove will look like the text below: - servlet display-nameApache-Axis Admin Servlet Web Admin/display-name servlet-nameAxisAdminServlet/servlet-name servlet-classorg.apache.axis2.transport.http.AxisAdminServlet/servlet -class load-on-startup100/load-on-startup /servlet - servlet-mapping servlet-nameAxisAdminServlet/servlet-name url-pattern/axis2-admin/*/url-pattern /servlet-mapping 4. Change the username and password parameters in the axis2.xml file to stronger credentials that conform to your organization's password policies. D2D_HOME\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml parameter name=userNameadmin/parameter parameter name=passwordaxis2/parameter 5. Start CA ARCserve D2D Web Service. References CVE-201X- - CVE Reference Pending CA ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet Code Execution Vulnerability Poc Dec 30 2010 11:04AM http://www.securityfocus.com/archive/1/515494/30/0/threaded http://marc.info/?l=bugtraqm=129373168501496w=2 Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet Code Execution Vulnerability Poc http://retrogod.altervista.org/9sg_ca_d2d.html Acknowledgement rgod Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilj...@ca.com -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (MingW32) iEYEARECAAYFAk0eRkEACgkQeSWR3+KUGYVuvQCgkCI+mqnFSazvhzN8anG9dPEu 4GEAoJeHEInf6VzrioKGscIj5J0xq+Mb =XuTb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20100304-01: Security Notice for CA SiteMinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20100304-01: Security Notice for CA SiteMinder Issued: March 04, 2010 CA's support is alerting customers to a security risk with CA SiteMinder. Multiple cross site scripting (XSS) vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information. CA has provided guidance to remediate the vulnerability. The vulnerabilities, CVE-2009-3731, are due to insufficient validation of input strings. An attacker can potentially steal network domain credentials by enticing a user to visit a web page that contains malicious content. Risk Rating Low Platforms Windows Solaris HP-UX Red Hat Linux Affected Products CA SiteMinder 6.0 (SP4 and earlier) How to determine if the installation is affected The vulnerability is caused by an issue with the publishing tool used to create the online help and HTML documentation for older CA SiteMinder releases (6.0 SP4 and earlier). This vulnerability affects CA SiteMinder in the following ways: * HTML versions of the product documentation for SiteMinder can be deployed on an individual system or through a web server. If product documentation has been deployed on a web server the SiteMinder 6.0 installation is vulnerable. * Online help systems for SiteMinder are deployed and accessible through a web server. This vulnerability applies to help systems. In both cases, this vulnerability applies if web access to the associated web servers has been configured to make use of non-public (client-specific) information. Solution CA SiteMinder: * Upgrade Policy Servers to the latest service pack for SiteMinder 6.0. Remove older versions of the product documentation from your servers. or * For Integrated Document sets, if you have deployed the HTML version of documentation to a web server, move the documentation to a file server and delete the documentation from the web server. * For Online Help systems, remove the help systems from the application folders and place them on a file system for future reference. Note that this will cause help links to fail in the associated applications. The folders that contain help systems are: o Administrative UI Help: policy server home\admin\help o Policy Server Management Console Help: policy server home\bin\smconsole-help o SiteMinder Test Tool Help: policy server home\bin\smtest-help References CVE-2009-3731 - WebWorks Help XSS Acknowledgement CVE-2009-3731 - Daniel Grzelak and Alex Kouzemtchenko of stratsec (www.stratsec.net) Change History Version 1.0: Initial Release If additional information is required, please contact CA Support at https://support.ca.com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2010 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.12.0 (Build 1035) Charset: utf-8 wj8DBQFLj/EheSWR3+KUGYURAjW/AKCZ1+Azy2f5hZbm7bgKWEly2gDqUwCcD4+w 0C9OCgxqNtYbUZJXRAGWb7E= =KPvt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20091008-01: Security Notice for CA Anti-Virus Engine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20091008-01: Security Notice for CA Anti-Virus Engine Issued: October 8, 2009 CA's support is alerting customers to multiple security risks associated with CA Anti-Virus Engine. Vulnerabilities exist in the arclib component that can allow a remote attacker to cause a denial of service, or to cause heap corruption and potentially further compromise a system. CA has issued fixes to address the vulnerabilities. The first vulnerability, CVE-2009-3587, is due to improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component. An attacker can create a malformed RAR archive file that results in heap corruption and allows the attacker to cause a denial of service or possibly further compromise the system. The second vulnerability, CVE-2009-3588, is due to improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component. An attacker can create a malformed RAR archive file that results in stack corruption and allows the attacker to cause a denial of service. Risk Rating Medium Platform Windows UNIX Linux Solaris Mac OS X Netware Affected Products CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1 CA Anti-Virus 2007 (v8) CA Anti-Virus 2008 CA Anti-Virus 2009 CA Anti-Virus Plus 2009 eTrust EZ Antivirus r7.1 CA Internet Security Suite 2007 (v3) CA Internet Security Suite 2008 CA Internet Security Suite Plus 2008 CA Internet Security Suite Plus 2009 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) 8.1 CA Threat Manager Total Defense CA Gateway Security r8.1 CA Protection Suites r2 CA Protection Suites r3 CA Protection Suites r3.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.1 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11.1 CA ARCserve Backup r11.5 on Windows CA ARCserve Backup r12 on Windows CA ARCserve Backup r12.0 SP1 on Windows CA ARCserve Backup r12.0 SP 2 on Windows CA ARCserve Backup r12.5 on Windows CA ARCserve Backup r11.1 Linux CA ARCserve Backup r11.5 Linux CA ARCserve for Windows Client Agent CA ARCserve for Windows Server component CA eTrust Intrusion Detection 2.0 SP1 CA eTrust Intrusion Detection 3.0 CA eTrust Intrusion Detection 3.0 SP1 CA Common Services (CCS) r3.1 CA Common Services (CCS) r11 CA Common Services (CCS) r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1 Non-Affected Products CA Anti-Virus engine with arclib version 8.1.4.0 or later installed How to determine if the installation is affected For products on Windows: 1. Using Windows Explorer, locate the file arclib.dll. By default, the file is located in the C:\Program Files\CA\SharedComponents\ScanEngine directory (*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated below, the installation is vulnerable. File Name File Version arclib.dll8.1.4.0 *For eTrust Intrusion Detection 2.0, the file is located in Program Files\eTrust\Intrusion Detection\Common, and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in Program Files\CA\Intrusion Detection\Common. For CA Anti-Virus r8.1 on non-Windows platforms: Use the compver utility provided on the CD to determine the version of Arclib. If the version is less than 8.1.4.0, the installation is vulnerable. Example compver utility output: COMPONENT NAME VERSION eTrust Antivirus Arclib Archive Library 8.1.4.0 ... (followed by other components) For reference, the following are file names for arclib on non-Windows operating systems: Operating System File name Solaris libarclib.so Linuxlibarclib.so Mac OS X arclib.bundle Solution CA released arclib 8.1.4.0 on August 12 2009. If your product is configured for automatic updates, you should already be protected, and you need to take no action. If your product is not configured for automatic updates, then you simply need to run
[Full-disclosure] CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities CA Advisory Reference: CA20090615-01 CA Advisory Date: 2009-06-15 Reported By: iViZ Security Research Team Impact: A remote attacker can cause a denial of service. Summary: CA ARCserve Backup contains multiple vulnerabilities in the message engine that can allow a remote attacker to cause a denial of service. CA has issued an update to address the vulnerabilities. The vulnerabilities, CVE-2009-1761, occur due to insufficient verification of data sent to the message engine. An attacker can make requests that can cause the message engine to crash. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r12.0 SP 1 Windows Non-Affected Products: CA ARCserve Backup r11.5 SP 4 Windows CA ARCserve Backup r12.0 SP 2 Windows CA ARCserve Backup r12.5 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerabilities. CA ARCserve Backup r12.0, r12.0 SP1 Windows: Install Service Pack 2 RO08383. How to determine if the installation is affected: CA ARCserve Backup r12.0, r12.0 SP1 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, the program can be found under Programs-CA-ARCserve Patch Management-Patch Status. 2. The main patch status screen will indicate if the patch in the below table is applied. If the patch is not applied, then the installation is vulnerable. Product Patch CA ARCserve Backup r12.0, r12.0 SP1 Windows RO08383 For more information on the ARCserve Patch Management utility, read document TEC446265. Workaround: As a workaround solution, disable the Apache HTTP Server with the stopgui command. To re-enable the server, run startgui. Stopping the Apache HTTP Server will prevent the ARCserve user from performing GUI operations. Most of the operations provided by the GUI can be accomplished via the command line. Alternatively, restrict remote network access to reduce exposure. References (URLs may wrap): CA Support: https://support.ca.com/ CA20090615-01: Security Notice for CA ARCserve Backup Message Engine https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2095 02 Solution Document Reference APARs: RO08383, TEC446265 CA Security Response Blog posting: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15.aspx Reported By: iViZ Security Research Team http://www.ivizsecurity.com/security-advisory-iviz-sr-09003.html http://www.ivizsecurity.com/security-advisory-iviz-sr-09004.html CVE References: CVE-2009-1761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1761 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at https://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.10.0 (Build 500) Charset: utf-8 wj8DBQFKN4BReSWR3+KUGYURAnntAJ0dUor2RDKLtPoK0WDwD5PQJfOOAACfbIc6 XKLgaLtL5OJrrHDc1SoHoy4= =uoXR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities CA Advisory Reference: CA20090615-01 CA Advisory Date: 2009-06-15 Reported By: iViZ Security Research Team Impact: A remote attacker can cause a denial of service. Summary: CA ARCserve Backup contains multiple vulnerabilities in the message engine that can allow a remote attacker to cause a denial of service. CA has issued an update to address the vulnerabilities. The vulnerabilities, CVE-2009-1761, occur due to insufficient verification of data sent to the message engine. An attacker can make requests that can cause the message engine to crash. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r12.0 SP 1 Windows Non-Affected Products: CA ARCserve Backup r11.5 SP 4 Windows CA ARCserve Backup r12.0 SP 2 Windows CA ARCserve Backup r12.5 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerabilities. CA ARCserve Backup r12.0, r12.0 SP1 Windows: Install Service Pack 2 RO08383. How to determine if the installation is affected: CA ARCserve Backup r12.0, r12.0 SP1 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, the program can be found under Programs-CA-ARCserve Patch Management-Patch Status. 2. The main patch status screen will indicate if the patch in the below table is applied. If the patch is not applied, then the installation is vulnerable. Product Patch CA ARCserve Backup r12.0, r12.0 SP1 Windows RO08383 For more information on the ARCserve Patch Management utility, read document TEC446265. Workaround: None References (URLs may wrap): CA Support: https://support.ca.com/ CA20090615-01: Security Notice for CA ARCserve Backup Message Engine https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2095 02 Solution Document Reference APARs: RO08383, TEC446265 CA Security Response Blog posting: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15.aspx Reported By: iViZ Security Research Team http://www.ivizsecurity.com/security-advisory-iviz-sr-09003.html http://www.ivizsecurity.com/security-advisory-iviz-sr-09004.html CVE References: CVE-2009-1761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1761 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at https://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.10.0 (Build 500) Charset: utf-8 wj8DBQFKN4KLeSWR3+KUGYURAme/AJwOT497kNgqXAGFzXuwRVfxUSYJ5QCfWQ7G e2A9SJJB53CpJi3mE37Cw3g= =KMJo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability CA Advisory Reference: CA20090615-02 CA Advisory Date: 2009-06-15 Impact: A remote attacker can inject arbitrary web script or HTML. Summary: The release of Tomcat as included with CA Service Desk r11.2 is potentially susceptible to a cross-site scripting vulnerability. CA has issued a technical document that describes remediation procedures. Mitigating Factors: None Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA Service Desk r11.2 Affected Platforms: Windows, Unix Status and Recommendation: Follow the instructions in technical document TEC489643. https://support.ca.com/irj/portal/anonymous/\ redirArticles?reqPage=searchsearchID=TEC489643 How to determine if the installation is affected: Customers can use the instructions in technical document TEC489643 to determine if an installation may be affected. Workaround: None References (URLs may wrap): CA Support: https://support.ca.com/ CA20090615-02: Security Notice for CA Service Desk https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2095 00 Solution Document Reference APARs: TEC489643 CA Security Response Blog posting: CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15.aspx CVE References: CVE-2008-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at https://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.10.0 (Build 500) Charset: utf-8 wj8DBQFKN4queSWR3+KUGYURAnrZAJ9sEgBd5Lw57AW6egPeJu8CDyUv8gCcC8hT auAyFOQijA812rBtlTXJmtA= =ssdM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090429-01: CA ARCserve Backup Apache HTTP Server Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090429-01: CA ARCserve Backup Apache HTTP Server Multiple Vulnerabilities CA Advisory Reference: CA20090429-01 CA Advisory Date: 2009-04-29 Reported By: Apache Software Foundation David Endler of iDefense Ulf Harnhammar for SITIC, Swedish IT Incident Centre Impact: A remote attacker can exploit a buffer overflow to gain apache privileges, or cause a denial of service. Summary: CA ARCserve Backup on Solaris, Tru64, HP-UX, and AIX contains multiple vulnerabilities in the Apache HTTP Server version as shipped with ARCserve Backup. CA has issued updates that contain version 2.0.63 of the Apache HTTP Server to address the vulnerabilities. Refer to the References section for a list of resolved issues by CVE identifier. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA ARCserve Backup r11.5 Solaris CA ARCserve Backup r11.5 Tru64 CA ARCserve Backup r11.5 HP-UX CA ARCserve Backup r11.5 AIX Non-Affected Products: CA ARCserve Backup r11.5 Windows CA ARCserve Backup r11.5 Linux Affected Platforms: Solaris Tru64 HP-UX AIX Status and Recommendation: CA has issued the following patches to address the vulnerabilities. CA ARCserve Backup r11.5 Solaris: RO06786 CA ARCserve Backup r11.5 Tru64: RO06788 CA ARCserve Backup r11.5 HP-UX: RO06789 CA ARCserve Backup r11.5 AIX: RO06791 How to determine if you are affected: 1. From the command line, run the following to print the version of the Apache HTTP Server included with ARCserve Backup: $BAB_HOME/httpd/httpd -v Note: On HP-UX the shared library path needs to be modified prior to running the httpd command: SHLIB_PATH=$SHLIB_PATH:$BAB_HOME/httpd/lib export SHLIB_PATH 2. If the displayed version is less than 2.0.63, then the installation may be vulnerable. Workaround: As a workaround solution, disable the Apache HTTP Server with the stopgui command. To re-enable the server, run startgui. Stopping the Apache HTTP Server will prevent the ARCserve user from performing GUI operations. Most of the operations provided by the GUI can be accomplished via the command line. Alternatively, restrict remote network access to reduce exposure. References (URLs may wrap): CA Support: https://support.ca.com/ CA20090429-01: Security Notice for CA ARCserve Backup Apache HTTP Server https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2051 47 Solution Document Reference APARs: RO06786, RO06788, RO06789, RO06791 CA Security Response Blog posting: CA20090429-01: CA ARCserve Backup Apache HTTP Server Multiple Vulnerabilities http://community.ca.com/blogs/casecurityresponseblog/archive/2009/04/29. asp x Reported By: Apache Software Foundation David Endler of iDefense Ulf Harnhammar for SITIC, Swedish IT Incident Centre CVE References: CVE-2004-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747 CVE-2003-0132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0132 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at https://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.10.0 (Build 500) Charset: utf-8 wj8DBQFJ+gEdeSWR3+KUGYURAsU9AJwI3A5Odxb0KRvIZbIryYKYHSUYawCeMikU vfjYo3J5kxwcBhH6wLSOFLQ= =tCM7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities CA Advisory Reference: CA20090126-01 CA Advisory Date: 2009-01-26 Reported By: Thierry Zoller and Sergio Alvarez of n.runs AG Impact: A remote attacker can evade detection. Summary: The CA Anti-Virus engine contains multiple vulnerabilities that can allow a remote attacker to evade detection by the Anti-Virus engine by creating a malformed archive file in one of several common file archive formats. CA has released a new Anti-Virus engine to address the vulnerabilities. The vulnerabilities, CVE-2009-0042, are due to improper handling of malformed archive files by the Anti-Virus engine. A remote attacker can create a malformed archive file that potentially contains malware and evade anti-virus detection. Note: After files have been extracted from an archive, the desktop Anti-Virus engine is able to scan all files for malware. Consequently, detection evasion can be a concern for gateway anti-virus software if archives are not scanned, but the risk is effectively mitigated by the desktop anti-virus engine. Mitigating Factors: See note above. Severity: CA has given these vulnerabilities a Low risk rating. Affected Products: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1, r8, r8.1 CA Anti-Virus 2007 (v8), 2008 eTrust EZ Antivirus r7, r6.1 CA Internet Security Suite 2007 (v3), 2008 CA Internet Security Suite Plus 2008 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8, 8.1 CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1 CA Protection Suites r2, r3, r3.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0, 8.1 CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) r8, 8.1 CA Anti-Spyware 2007, 2008 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0, r3.1, r11, r11.1 CA ARCserve Backup r11.1, r11.5, r12 on Windows CA ARCserve Backup r11.1, r11.5 Linux CA ARCserve client agent for Windows CA eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1, 4.0 CA Common Services (CCS) r11, r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) Non-Affected Products: CA Anti-Virus engine with arclib version 7.3.0.15 installed Affected Platforms: Windows UNIX Linux Solaris Mac OS X NetWare Status and Recommendation: CA released arclib 7.3.0.15 in September 2008. If your product is configured for automatic updates, you should already be protected, and you need to take no action. If your product is not configured for automatic updates, then you simply need to run the update utility included with your product. How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file arclib.dll. By default, the file is located in the C:\Program Files\CA\SharedComponents\ScanEngine directory (*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated below, the installation is vulnerable. File NameFile Version arclib.dll 7.3.0.15 *For eTrust Intrusion Detection 2.0 the file is located in Program Files\eTrust\Intrusion Detection\Common, and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in Program Files\CA\Intrusion Detection\Common. For CA Anti-Virus r8.1 on non-Windows platforms: Use the compver utility provided on the CD to determine the version of Arclib. If the version is less than 7.3.0.15, the installation is vulnerable. Example compver utility output: COMPONENT NAME VERSION eTrust Antivirus Arclib Archive Library 7.3.0.15 ... (followed by other components) For reference, the following are file names for arclib on non-Windows operating systems: Operating SystemFile name Solaris libarclib.so Linux libarclib.so Mac OS Xarclib.bundle Workaround: Do not open email attachments or download files from untrusted sources. References (URLs may wrap): CA Support: http://support.ca.com/ CA20090126-01: Security Notice for CA Anti-Virus Engine https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1976 01 Solution Document Reference APARs: n/a CA Security Response Blog posting: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/26.aspx Reported By: Thierry Zoller and Sergio Alvarez of n.runs AG http://www.nruns.com/ http://secdev.zoller.lu CVE References: CVE-2009-0042 - Anti-Virus detection evasion http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0042 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release
[Full-disclosure] CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities CA Advisory Reference: CA20090123-01 CA Advisory Date: 2009-01-23 Reported By: n/a Impact: Refer to the CVE identifiers for details. Summary: Multiple security risks exist in Apache Tomcat as included with CA Cohesion Application Configuration Manager. CA has issued an update to address the vulnerabilities. Refer to the References section for the full list of resolved issues by CVE identifier. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA Cohesion Application Configuration Manager 4.5 Non-Affected Products CA Cohesion Application Configuration Manager 4.5 SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following update to address the vulnerabilities. CA Cohesion Application Configuration Manager 4.5: RO04648 https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search se archID=RO04648 How to determine if you are affected: 1. Using Windows Explorer, locate the file RELEASE-NOTES. 2. By default, the file is located in the C:\Program Files\CA\Cohesion\Server\server\ directory. 3. Open the file with a text editor. 4. If the version is less than 5.5.25, the installation is vulnerable. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ CA20090123-01: Security Notice for Cohesion Tomcat https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975 40 Solution Document Reference APARs: RO04648 CA Security Response Blog posting: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx Reported By: n/a CVE References: CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 CVE-2005-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510 CVE-2006-3835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835 CVE-2006-7195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 CVE-2006-7196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196 CVE-2007-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 CVE-2007-1355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 CVE-2007-1358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358 CVE-2007-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858 CVE-2007-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 CVE-2007-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 CVE-2007-3382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 CVE-2007-3385 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 CVE-2007-3386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 CVE-2008-0128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 *Note: the issue was not completely fixed by Tomcat maintainers. OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release v1.1 - Updated Impact, Summary, Affected Products Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFJflTMeSWR3+KUGYURAuRZAJ9b/W0ZyaFxIzBzf8bZO3Zra6ewJwCfXemr gwJHdqRMBFFV9awQRW1jIWo= =UfZX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities CA Advisory Reference: CA20090123-01 CA Advisory Date: 2009-01-23 Reported By: n/a Impact: A remote attacker can execute arbitrary commands. Summary: Multiple security risks exist in Apache Tomcat as included with CA Cohesion and products that contain CA Cohesion. CA has issued an update to address the vulnerabilities. Refer to the References section for the full list of resolved issues by CVE identifier. Mitigating Factors: None Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA Cohesion Application Configuration Manager 4.5 CA CMDB Application Server 11.1 Unicenter Service Desk 11.2 Non-Affected Products CA Cohesion Application Configuration Manager 4.5 SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following update to address the vulnerabilities. CA Cohesion Application Configuration Manager 4.5, CA CMDB Application Server 11.1, Unicenter Service Desk 11.2: RO04648 https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search se archID=RO04648 How to determine if you are affected: 1. Using Windows Explorer, locate the file RELEASE-NOTES. 2. By default, the file is located in the C:\Program Files\CA\Cohesion\Server\server\ directory. 3. Open the file with a text editor. 4. If the version is less than 5.5.25, the installation is vulnerable. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ CA20090123-01: Security Notice for Cohesion Tomcat https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975 40 Solution Document Reference APARs: RO04648 CA Security Response Blog posting: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx Reported By: n/a CVE References: CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 CVE-2005-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510 CVE-2006-3835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835 CVE-2006-7195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 CVE-2006-7196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196 CVE-2007-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 CVE-2007-1355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 CVE-2007-1358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358 CVE-2007-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858 CVE-2007-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 CVE-2007-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 CVE-2007-3382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 CVE-2007-3385 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 CVE-2007-3386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 CVE-2008-0128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 *Note: the issue was not completely fixed by Tomcat maintainers. OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFJe1/peSWR3+KUGYURAkN6AJ4qO1i441e0VkxMtFDFNvNKYN65NwCcC2uQ TggOqKHWezDJXNQ+E3INNVA= =A2iW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA ARCserve Backup LDBserver Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA ARCserve Backup LDBserver Vulnerability CA Advisory Date: 2008-12-10 Reported By: Dyon Balding of Secunia Research Impact: A remote attacker can cause a denial of service or execute arbitrary code. Summary: CA ARCserve Backup contains a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. CA has issued patches to address the vulnerability. The vulnerability, CVE-2008-5415, is due to insufficient verification of client data. A remote attacker can crash the LDBserver service or execute arbitrary code in the context of the service. Note: The client installation is not affected. Mitigating Factors: The client installation is not affected. Severity: CA has given this vulnerability a High risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r11.5 Windows* CA ARCserve Backup r11.1 Windows* CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 *Formerly known as BrightStor ARCserve Backup. Non-Affected Products CA ARCserve Backup r12.0 Windows SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerability. CA ARCserve Backup r12.0 Windows: Apply Service Pack 1 (RO01340) CA ARCserve Backup r11.5 Windows: RO04383 CA ARCserve Backup r11.1 Windows: RO04382 CA Protection Suites r2: RO04383 How to determine if you are affected: CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under: Programs CA ARCserve Patch Management Patch Status 2. The main patch status screen will indicate if the respective patch in the below table is currently applied. If the patch is not applied, the installation is vulnerable. Product Patch CA ARCserve Backup r12.0 WindowsRO01340 CA ARCserve Backup r11.5 Windows* RO04383 For more information on the ARCserve Patch Management utility, read document TEC446265. Alternatively, use the file information below to determine if the product installation is vulnerable. CA ARCserve Backup r11.1 Windows: 1. Using Windows Explorer, locate the file DBserver.dll. By default, the file is located in the C:\Program Files\CA\BrightStor ARCserve Backup directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Product version: CA ARCserve Backup r11.1 Windows File Name: DBserver.dll File Size: 675840 bytes Timestamp: 11/25/2008 09:32:21 *CA Protection Suites r2 includes CA ARCserve Backup 11.5 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup LDBserver https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1942 93 Solution Document Reference APARs: RO01340, RO04383, RO04382 CA Security Response Blog posting: CA ARCserve Backup LDBserver Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2008/12/10.aspx Reported By: Dyon Balding of Secunia Research CVE References: CVE-2008-5415 - LDBserver code execution http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5415 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.0 (Build 397) Charset: utf-8 wj8DBQFJQC8NeSWR3+KUGYURAgM3AJ0Y07s2AHILwcEFx6TnBquybQMfbACgkbwX ZVMX5nrB//gqq9wcOpUXlgY= =dBR8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA ARCserve Backup Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA ARCserve Backup Multiple Vulnerabilities CA Advisory Date: 2008-10-09 Reported By: Haifei Li of Fortinet's FortiGuard Global Security Research Team Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company Greg Linares of eEye Digital Security Impact: A remote attacker can cause a denial of service or possibly execute arbitrary code. Summary: CA ARCserve Backup contains multiple vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2008-4397, occurs due to insufficient validation of certain RPC call parameters by the message engine service. An attacker can exploit a directory traversal vulnerability to execute arbitrary commands. The second vulnerability, CVE-2008-4398, occurs due to insufficient validation by the tape engine service. An attacker can make a request that will crash the service. The third vulnerability, CVE-2008-4399, occurs due to insufficient validation by the database engine service. An attacker can make a request that will crash the service. The fourth vulnerability, CVE-2008-4400, occurs due to insufficient validation of authentication credentials. An attacker can make a request that will crash multiple services. Note that these issues only affect the base product. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r11.5 Windows* CA ARCserve Backup r11.1 Windows* CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 *Formerly known as BrightStor ARCserve Backup. Non-Affected Products CA ARCserve Backup r12.0 Windows SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following updates for systems that have an affected base product. CA ARCserve Backup r12.0 Windows: Apply Service Pack 1 (RO01340) CA ARCserve Backup r11.5 Windows: RO02398 CA ARCserve Backup r11.1 Windows: RO02396 CA Protection Suites r2: RO02398 How to determine if you are affected: CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under Programs-CA-ARCserve Patch Management-Patch Status. 2. The main patch status screen will indicate if the respective patch in the table below is currently applied. If the patch is not applied, the installation is vulnerable. ProductPatch CA ARCserve Backup r12.0 Windows RO01340 CA ARCserve Backup r11.5 Windows RO02398 For more information on the ARCserve Patch Management utility, read document TEC446265. Alternatively, use the file information below to determine if the product installation is vulnerable. CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows, CA ARCserve Backup r11.1 Windows: 1. Using Windows Explorer, locate the file asdbapi.dll. By default, the file is located in the C:\Program Files\CA\BrightStor ARCserve Backup directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Product version: CA ARCserve Backup r11.1 Windows File Name: asdbapi.dll File Size: 856064 bytes Timestamp: 09/05/2008 10:35:19 Product version: CA ARCserve Backup r11.5 Windows* File Name: asdbapi.dll File Size: 1249354 bytes Timestamp: 09/05/2008 11:14:04 Product version: CA ARCserve Backup r12.0 Windows File Name: asdbapi.dll File Size: 992520 bytes Timestamp: 08/09/2008 4:51:58 *CA Protection Suites r2 includes CA ARCserve Backup 11.5 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143 Solution Document Reference APARs: RO01340, RO02398, RO02396 CA Security Response Blog posting: CA ARCserve Backup Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/10/9.aspx Reported By: CVE-2008-4397 - Haifei Li of Fortinet's FortiGuard Global Security Research Team http://www.fortiguardcenter.com/ CVE-2008-4398 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company CVE-2008-4399 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company http://www.assurent.com/index.php?id=17 CVE-2008-4400 - Greg Linares of eEye Digital Security http://www.eeye.com/ CVE References: CVE-2008-4397 - Message engine command injection
[Full-disclosure] CA Service Desk Multiple Cross-Site Scripting Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA Service Desk Multiple Cross-Site Scripting Vulnerabilities CA Advisory Date: 2008-09-24 Reported By: Open Security Foundation Impact: A remote attacker can conduct cross-site scripting attacks. Summary: CA Service Desk contains multiple vulnerabilities that can allow a remote attacker to conduct cross-site scripting attacks. CA has issued patches to address the vulnerabilities. The vulnerabilities, CVE-2008-4119, are due to insecure handling of passed variables in multiple web forms. An attacker, who can convince a user to click on a specially crafted link, can potentially conduct cross-site scripting attacks. Mitigating Factors: None Severity: CA has given these vulnerabilities a Low risk rating. Affected Products: CA Service Desk r11.2 CA CMDB 11.0 CA CMDB 11.1 CA CMDB 11.2 Affected Platforms: Microsoft Windows 2003 R2 Microsoft Windows 2003 SP1 Microsoft Windows 2003 SP2 Microsoft Windows 2000 Server Family with SP4 applied (32 bit only) Red Hat Enterprise Linux 3.0 x86 Red Hat Enterprise Linux 4.0 x86 SUSE Linux Enterprise Server 9 (SLES) x86 SUSE Linux Enterprise Server 10 SP1 (SLES) x86 Sun Solaris 9 SPARC (64 bit only) Sun Solaris 10 SPARC (64 bit only) HP/UX 11.11 PA-RISC (64 bit only) HP/UX 11.23 PA-RISC (64 bit only) HP/UX 11.31 PA-RISC (64 bit only) AIX 5.2 (64 bit only) AIX 5.3 (64 bit only) Status and Recommendation: CA CMDB 11.0 and CA CMDB 11.1 users should upgrade to CA CMDB 11.2, which includes all of the fixes. CA has issued the following cumulative fixes for CA Service Desk r11.2 to address the vulnerabilities. Note: If you are using a version of CA Service Desk earlier than r11.2, you will first need to upgrade to r11.2. For users of earlier versions, CA recommends upgrading to r11.2. Windows: CA Service Desk Crystal Report component: QO99896 CA Service Desk Dashboard component: QO99895 CA Service Desk Web Screen Painter component: QO99894 CA Service Desk Web Server component: QO99893 CA Service Desk Server component: QO99892 AIX: CA Service Desk Web Screen Painter component: QO99905 CA Service Desk Web Server component: QO99901 CA Service Desk Server component: QO99897 HPUX: CA Service Desk Web Screen Painter component: QO99906 CA Service Desk Web Server component: QO99902 CA Service Desk Server component: QO99898 Linux: CA Service Desk Web Screen Painter component: QO99907 CA Service Desk Web Server component: QO99903 CA Service Desk Server component: QO99899 Solaris: CA Service Desk Web Screen Painter component: QO99908 CA Service Desk Web Server component: QO99904 CA Service Desk Server component: QO99900 How to determine if you are affected: Check the Applyptf log to determine if the fix has been applied. Additional information, including platform-specific instructions and updated routine details, can be found in the appropriate solution document. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Service Desk https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=186585 Solution Document Reference APARs: QO99896, QO99895, QO99894, QO99893, QO99892, QO99905, QO99901, QO99897, QO99906, QO99902, QO99898, QO99907, QO99903, QO99899, QO99908, QO99904, QO99900 CA Security Response Blog posting: CA Service Desk Multiple Cross-Site Scripting Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/09/25.aspx Reported By: Open Security Foundation http://opensecurityfoundation.org/ CVE References: CVE-2008-4119 – CA Service Desk multiple cross-site scripting issues http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4119 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release v1.1 - Added CA CMDB solutions Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFI3ETJeSWR3+KUGYURAhw2AKCJZ//oaNtg2G1iSCb9RxQ7Ln2/egCffJjf eQ9MojoxSfbn/JogNrCV9FM= =EocE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple Vulnerabilities CA Advisory Date: 2008-08-11 Reported By: CVE-2008-2926 - Tobias Klein CVE-2008-3174 - Elazar Broad Impact: A remote attacker can cause a denial of service or possibly execute arbitrary code. Summary: CA Host-Based Intrusion Prevention System SDK contains two vulnerabilities that can allow an attacker to cause a denial of service or possibly execute arbitrary code. CA has issued updates to address the vulnerabilities. The first vulnerability, CVE-2008-2926, occurs due to insufficient verification of IOCTL requests by the kmxfw.sys driver. A local attacker can send an IOCTL request that can cause a system crash or potentially result in arbitrary code execution. The second vulnerability, CVE-2008-3174, occurs due to insufficient validation by the kmxfw.sys driver. An attacker can make a request that can cause a system crash. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA Host-Based Intrusion Prevention System r8 CA Internet Security Suite 2007 (v3.2) with CA Personal Firewall 2007 (v9.1) Engine version 1.2.260 and below CA Internet Security Suite 2008 (v4.0) with CA Personal Firewall 2008 (v10.0) Engine version 1.2.260 and below CA Personal Firewall 2007 (v9.1) with Engine version 1.2.260 and below CA Personal Firewall 2008 (v10.0) with Engine version 1.2.260 and below Affected Platforms: Windows Status and Recommendation: CA has issued the following updates to address the vulnerabilities. CA Host-Based Intrusion Prevention System r8: RO00535 https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=searchse archID=RO00535 CA Internet Security Suite r3, r4 and CA Personal Firewall 2007, 2008: Ensure the latest engine is installed by using the built-in update mechanism. CA Personal Firewall Engine 1.2.276 and later are not affected. To ensure that the latest automatic update is installed on your computer, customers can view the HelpAbout screen in their CA Personal Firewall product and confirm that the engine version number is 1.2.276 or higher. For support information, visit http://shop.ca.com/support. How to determine if you are affected: 1. Using Windows Explorer, locate the file kmxfw.sys. By default, the file is located in the C:\Windows\system32\drivers\ directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file version is less than indicated in the below table, the installation is vulnerable. File Name VersionSize (bytes) Date kmxfw.sys 6.5.5.18 115,216March 14, 2008 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Host-Based Intrusion Prevention System SDK https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=182496 Solution Document Reference APARs: RO00535 CA Security Response Blog posting: CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/08/12.aspx Reported By: Tobias Klein (CVE-2008-2926) http://www.trapkit.de/ Elazar Broad (CVE-2008-3174) CVE References: CVE-2008-2926 - CA HIPS kmxfw.sys IOCTL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2926 CVE-2008-3174 - CA HIPS kmxfw.sys denial of service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3174 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFIodxeeSWR3+KUGYURAmXgAJ92lOOBXnvBuNpjxLVkep6bdACCnACfbaKz QsHLtQgFurPNlxR2kbuzJTc= =Q8aR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA Products That Embed Ingres Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA Products That Embed Ingres Multiple Vulnerabilities CA Advisory Date: 2008-08-01 Reported By: iDefense Labs Impact: A remote attacker can execute arbitrary code, gain privileges, or cause a denial of service condition. Summary: CA products that embed Ingres contain multiple vulnerabilities that can allow a remote attacker to execute arbitrary code, gain privileges, or cause a denial of service condition. These vulnerabilities exist in the products and on the platforms listed below. These vulnerabilities do not impact any Windows-based Ingres installation. The first vulnerability, CVE-2008-3356, allows an unauthenticated attacker to potentially set the user and/or group ownership of a verifydb log file to be Ingres allowing read/write permissions to both. The second vulnerability, CVE-2008-3357, allows an unauthenticated attacker to exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server process. The third vulnerability, CVE-2008-3389, allows an unauthenticated attacker to obtain ingres user privileges. However, when combined with the unsecured directory privileges vulnerability (CVE–2008-3357), root privileges can be obtained. Mitigating Factors: These vulnerabilities do not impact any Windows-based Ingres installation. Severity: CA has given these vulnerabilities a High risk rating. Affected Products: Admin r8.1 SP2 Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3 CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 CleverPath Aion BPM r10.1, r10.2 EEM 8.1, 8.2, 8.2.1 eTrust Audit/SCC 8.0 sp2 Identity Manager r12 NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11 Unicenter Asset Management r11.1, r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r2.2, r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2 Unicenter Software Delivery r11.1, r11.2 Unicenter Workload Control Center r11 Affected Platforms: 1. Ingres verifydb file create permission override (CVE-2008-3356) This vulnerability impacts all platforms except Windows. 2. Ingres un-secure directory privileges with utility ingvalidpw (CVE - 2008-3357) This vulnerability impacts only Linux and HP platforms. 3. Ingres verifydb, iimerge, csreport buffer overflow (CVE-2008-3389) This vulnerability impacts only Linux and HP platforms. Status and Recommendation: The most prudent course of action for affected customers is to download and apply the corrective maintenance. However, updates are provided only for the following releases: 2.6 and r3 Important: Customers using products that embed an earlier version of Ingres r3 should upgrade Ingres to the release that is currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX platforms) before applying the maintenance updates. Please contact your product's Technical Support team for more information. For these products: Admin r8.1 SP2 CA ARCserve Backup for Linux r11.5 SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 EEM 8.2 EEM 8.2.1 Identity Manager r12 NSM r11 Unicenter Asset Management r11.1 Unicenter Asset Management r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk r11 Unicenter ServicePlus Service Desk r11.1 Unicenter ServicePlus Service Desk r11.2 Unicenter Software Delivery r11.1 Unicenter Software Delivery r11.2 Unicenter Workload Control Center r11 Apply the update below that is listed for your platform (note that URLs may wrap): AIX [3.0.3 (r64.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12833-r64-us5.tar.z HP-UX Itanium [3.0.3 (i64.hpu/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12831-i64-hpu.tar.z HP-UX RISC [3.0.3 (hp2.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12830-hp2-us5.tar.z Linux AMD [3.0.3 (a64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12835-a64-lnx.tar.z Linux Intel 32bit [3.0.3 (int.lnx/103)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.1 03.12836-int-lnx.tar.z Linux Itanium [3.0.3 (i64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12838-i64-lnx.tar.z Solaris SPARC [3.0.3 (su9.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12834-su9-us5.tar.z Solaris x64/x86 [3.0.3 (a64.sol/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12832-a64-sol.tar.z Ingres r3 Vulnerability Updates Install Steps (August 1, 2008) Unix/Linux: 1. Log on to your system using the
[Full-disclosure] CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability CA Advisory Date: 2008-07-31 Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: CA ARCserve Backup for Laptops and Desktops server contains a vulnerability that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerability. The vulnerability, CVE-2008-3175, occurs due to insufficient bounds checking by the LGServer service. An attacker can make a request that can result in arbitrary code execution or crash the service. Mitigating Factors: Only the server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected. Severity: CA has given this vulnerability a High risk rating. Affected Products: CA ARCserve Backup for Laptops and Desktops r11.5 CA ARCserve Backup for Laptops and Desktops r11.1 SP2 CA ARCserve Backup for Laptops and Desktops r11.1 SP1 CA ARCserve Backup for Laptops and Desktops r11.1 CA ARCserve Backup for Laptops and Desktops r11.0 CA Desktop Management Suite 11.2 CA Desktop Management Suite 11.1 CA Protection Suites r2 CA Protection Suites 3.0 CA Protection Suites 3.1 Affected Platforms: Windows Status and Recommendation: CA has provided the following updates to address the vulnerability. CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: Upgrade to 11.1 SP2 and apply RO00912. CA ARCserve Backup for Laptops and Desktops 11.5: RO00913. CA Protection Suites 3.0: RO00912. CA Protection Suites 3.1: RO00912. CA Desktop Management Suite 11.2: Upgrade to CA Desktop Management Suite 11.2 C1 and apply RO00913. CA Desktop Management Suite 11.1: RO01150. CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 SP2 and apply the latest patches. QI85497. Note: CA Protection Suites r2 includes CA ARCserve Backup for Laptops and Desktops 11.0. How to determine if you are affected: For Windows: 1. Using Windows Explorer, locate the file rxRPC.dll. The file can be found in the following default locations: CA ARCserve Backup for Laptops and Desktops 11.5: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops and Desktops\Server CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops Desktops\server CA Protection Suites 3.0: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops Desktops\server CA Protection Suites 3.1: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops Desktops\server CA Desktop Management Suite 11.2: C:\Program Files\CA\Unicenter DSM\BABLD\Server CA Desktop Management Suite 11.1: C:\Program Files\CA\Unicenter DSM\BABLD\Server 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file date is earlier than indicated in the below table, the installation is vulnerable. CA ARCserve Backup for Laptops and Desktops File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.0 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.1 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Desktop Management Suite 11.2 File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA Desktop Management Suite 11.1 File Name File Size (bytes) File Date rxRPC.dll 122,880 June 11, 2008 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup for Laptops and Desktops Server LGServer https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181721 Solution Document Reference APARs: RO00912, RO00913, RO01150, QI85497 CA Security Response Blog posting: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2008/08/01.aspx Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company. http://www.assurent.com/ CVE References: CVE-2008-3175 - LGServer buffer overflow http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3175 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For
[Full-disclosure] CA ARCserve Backup Discovery Service Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA ARCserve Backup Discovery Service Denial of Service Vulnerability CA Advisory Date: 2008-06-17 Reported By: Luigi Auriemma Impact: A remote attacker can cause a denial of service. Summary: CA ARCserve Backup contains a vulnerability in the Discovery service (casdscsvc) that can allow a remote attacker to cause a denial of service condition. CA has issued patches to address the vulnerability. The vulnerability, CVE-2008-1979, occurs due to insufficient verification of client data. An attacker can make a request that can crash the service. Mitigating Factors: None Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r11.5 Windows SP3 and prior* CA ARCserve Backup r11.1 Windows* CA ARCserve Backup r11.1 Netware* CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 *Formerly known as BrightStor ARCserve Backup Non-affected Products: CA ARCserve Backup r11.5 Windows SP4 Affected Platforms: Windows and Netware Status and Recommendation: CA has issued the following patches to address the vulnerabilities. CA ARCserve Backup r12.0 Windows: QO99574 CA ARCserve Backup r11.5 Windows: QO99575 For CA ARCserve Backup r11.5 Windows, the issue can also be addressed by applying 11.5 SP4: QO99129 CA ARCserve Backup r11.1 Windows: QO99576 CA ARCserve Backup r11.1 Netware: QO99579 CA Protection Suites r2: QO99575 How to determine if you are affected: CA ARCserve Backup r12.0 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under Programs-CA-ARCserve Patch Management-Patch Status. 2. The main patch status screen will indicate if patch “QO99574” is currently applied. If the patch is not applied, the installation is vulnerable. For more information on the ARCserve Patch Management utility, read document TEC446265. Alternatively, use the file information below to determine if the product installation is vulnerable. CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows, CA ARCserve Backup r11.1 Windows, CA ARCserve Backup r11.1 Netware, CA Protection Suites r2*: 1. Using Windows Explorer, locate the file “asbrdcst.dll”. By default, the file is located in the “C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS” directory on 32 bit systems and “C:\Program Files (x86)\CA\ SharedComponents\ARCserve Backup\CADS” on 64 bit systems. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable. * For Protection Suites r2, use the file timestamp for CA ARCserve Backup r11.5 English Product Ver Product Lang File Name File Sz Timestamp (bytes) 12.0 Windows English asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Spanish asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Port-Braz asbrdcst.dll 320776 05/01/2008 12:11 12.0 Windows Japanese asbrdcst.dll 320776 05/01/2008 12:11 12.0 Windows Italian asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Germanasbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Frenchasbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Trad Chinese asbrdcst.dll 316680 05/01/2008 12:11 12.0 Windows Simp Chinese asbrdcst.dll 316680 05/01/2008 12:11 11.5 Windows English asbrdcst.dll 212992 04/22/2008 10:15:02 11.5 Windows Japanese asbrdcst.dll 208896 04/22/2008 14:28:52 11.5 Windows Simp Chinese asbrdcst.dll 204800 04/22/2008 14:30:54 11.5 Windows Trad Chinese asbrdcst.dll 204800 04/22/2008 14:33:28 11.5 Windows Italian asbrdcst.dll 212992 04/22/2008 14:31:46 11.5 Windows Port-Braz asbrdcst.dll 212992 04/22/2008 14:53:54 11.5 Windows Germanasbrdcst.dll 212992 04/22/2008 14:27:48 11.5 Windows Frenchasbrdcst.dll 212992 04/22/2008 14:26:54 11.5 Windows Spanish asbrdcst.dll 212992 04/22/2008 14:32:38 11.1 Windows English asbrdcst.dll 204800 04/24/2008 11:21:26 11.1 Windows Japanese asbrdcst.dll 200704 04/24/2008 11:25:48 11.1 Windows Simp Chinese asbrdcst.dll 196608 04/24/2008 11:27:44 11.1 Windows Trad Chinese asbrdcst.dll 196608 04/24/2008 11:30:32 11.1 Windows Italian asbrdcst.dll 204800 04/24/2008 11:28:38 11.1 Windows Port-Braz asbrdcst.dll 204800 04/24/2008 11:38:52 11.1 Windows Germanasbrdcst.dll 204800 04/24/2008 11:24:38 11.1 Windows Frenchasbrdcst.dll 204800 04/24/2008 11:23:38 11.1 Windows Spanish asbrdcst.dll 204800 04/24/2008 11:29:34 11.1 Windows Dutch asbrdcst.dll
[Full-disclosure] CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities CA Advisory Date: 2008-06-03 Reported By: Sebastian Apelt working with ZDI/TippingPoint Cody Pierce, TippingPoint DVLabs Impact: A remote attacker can cause a denial of service or execute arbitrary code. Summary: CA Secure Content Manager contains multiple vulnerabilities in the HTTP Gateway service that can allow a remote attacker to cause a denial of service condition or execute arbitrary code. CA has issued a patch to address the vulnerabilities. The vulnerabilities, CVE-2008-2541, occur due to insufficient bounds checking on certain FTP requests. An attacker can make a request that will cause the service to fail or allow the attacker to take privileged action on the system. Mitigating Factors: None Severity: CA has given these vulnerabilities a maximum risk rating of High. Affected Products: CA Secure Content Manager r8 Affected Platforms: Windows Status and Recommendation: CA has issued the following patch to address the vulnerabilities. CA Secure Content Manager r8: QO99987 How to determine if you are affected: Windows: 1. Using a registry editor, determine if the following key exists: HKEY_LOCAL_MACHINE\Software\ComputerAssociates\Hidden\PatchID\80VULNHOTFIX 2. If the key does not exist, the installation is vulnerable Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Secure Content Manager HTTP Gateway Service https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784 Solution Document Reference APARs: QO99987 CA Security Response Blog posting: CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities http://community.ca.com/blogs/casecurityresponseblog/archive/2008/06/04.asp x Reported By: Sebastian Apelt working with ZDI/TippingPoint Cody Pierce, TippingPoint DVLabs CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-036/ CA ETrust Secure Content Manager Gateway FTP PASV Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-035/ CVE References: CVE-2008-2541 - CA Secure Content Manager multiple FTP buffer overflows http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2541 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFIRwHDeSWR3+KUGYURAnaXAJ4pAnPHSzdRNTNnsUkYaAnTE4A3EwCeO+Xu yWm2EZzO8Qdo3aNVgouIDcs= =W2lY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA DSM gui_cm_ctrls ActiveX Control Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA DSM gui_cm_ctrls ActiveX Control Vulnerability CA Advisory Date: 2008-04-15 Reported By: Greg Linares of eEye Digital Security Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: CA products that implement the DSM gui_cm_ctrls ActiveX control contain a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. The vulnerability, CVE-2008-1786, is due to insufficient verification of function arguments by the gui_cm_ctrls control. An attacker can execute arbitrary code under the context of the user running the web browser. Mitigating Factors: For BrightStor ARCserve Backup for Laptops Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and Agents are not affected. Severity: CA has given this vulnerability a maximum risk rating of High. Affected Products: BrightStor ARCServe Backup for Laptops and Desktops r11.5 CA Desktop Management Suite r11.2 C2 CA Desktop Management Suite r11.2 C1 CA Desktop Management Suite r11.2a CA Desktop Management Suite r11.2 CA Desktop Management Suite r11.1 (GA, a, C1) Unicenter Desktop Management Bundle r11.2 C2 Unicenter Desktop Management Bundle r11.2 C1 Unicenter Desktop Management Bundle r11.2a Unicenter Desktop Management Bundle r11.2 Unicenter Desktop Management Bundle r11.1 (GA, a, C1) Unicenter Asset Management r11.2 C2 Unicenter Asset Management r11.2 C1 Unicenter Asset Management r11.2a Unicenter Asset Management r11.2 Unicenter Asset Management r11.1 (GA, a, C1) Unicenter Software Delivery r11.2 C2 Unicenter Software Delivery r11.2 C1 Unicenter Software Delivery r11.2a Unicenter Software Delivery r11.2 Unicenter Software Delivery r11.1 (GA, a, C1) Unicenter Remote Control r11.2 C2 Unicenter Remote Control r11.2 C1 Unicenter Remote Control r11.2a Unicenter Remote Control r11.2 Unicenter Remote Control r11.1 (GA, a, C1) CA Desktop and Server Management r11.2 C2 CA Desktop and Server Management r11.2 C1 CA Desktop and Server Management r11.2a CA Desktop and Server Management r11.2 CA Desktop and Server Management r11.1 (GA, a, C1) Affected Platforms: Windows Status and Recommendation: CA has provided the following updates to address the vulnerabilities. BrightStor ARCserve Backup for Laptops and Desktops r11.5: QI96333 CA Desktop Management Suite for Windows r11.1 (GA, a, C1), Unicenter Desktop Management Bundle r11.1 (GA, a, C1), Unicenter Asset Management r11.1 (GA, a, C1), Unicenter Software Delivery r11.1 (GA, a, C1), Unicenter Remote Control r11.1 (GA, a, C1): QO96283 CA Desktop Management Suite for Windows r11.2a, Unicenter Desktop Management Bundle r11.2a, Unicenter Asset Management r11.2a, Unicenter Software Delivery r11.2a, Unicenter Remote Control r11.2a: QO96286 CA Desktop Management Suite for Windows r11.2, Unicenter Desktop Management Bundle r11.2, Unicenter Asset Management r11.2, Unicenter Software Delivery r11.2, Unicenter Remote Control r11.2: QO96285 CA Desktop Management Suite for Windows r11.2 C1, Unicenter Desktop Management Bundle r11.2 C1, Unicenter Asset Management r11.2 C1, Unicenter Software Delivery r11.2 C1, Unicenter Remote Control r11.2 C1: QO96284 CA Desktop Management Suite for Windows r11.2 C2, Unicenter Desktop Management Bundle r11.2 C2, Unicenter Asset Management r11.2 C2, Unicenter Software Delivery r11.2 C2, Unicenter Remote Control r11.2 C2: QO99084 CA Desktop and Server Management r11.2 C2: QO99080 CA Desktop and Server Management r11.2 C1: QO96288 CA Desktop and Server Management r11.2a: QO96290 CA Desktop and Server Management r11.2: QO96289 CA Desktop and Server Management r11.1 (GA, a, C1): QO96287 How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file “gui_cm_ctrls.ocx”. By default, the file is in the “C:\Program Files\CA\DSM\bin\” directory. 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated in the list below, the installation is vulnerable. Product: CA Desktop Management Suite for Windows r11.1 (GA, a, C1), Unicenter Desktop Management Bundle r11.1 (GA, a, C1), Unicenter Asset Management r11.1 (GA, a, C1), Unicenter Software Delivery r11.1 (GA, a, C1), Unicenter Remote Control r11.1 (GA, a, C1), CA Desktop and Server Management r11.1 (GA, a, C1) File Name: gui_cm_ctrls.ocx File Version: 11.1.8124.2517 Product: CA Desktop Management Suite for Windows r11.2, Unicenter Desktop Management Bundle r11.2, Unicenter Asset Management r11.2, Unicenter Software Delivery r11.2, Unicenter Remote Control r11.2, CA Desktop and Server
[Full-disclosure] CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities
Title: CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities CA Advisory Date: 2008-04-03 Reported By: Dyon Balding of Secunia Research Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: CA ARCserve Backup for Laptops and Desktops Server contains multiple vulnerabilities that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities. The first issue, CVE-2008-1328, occurs due to insufficient bounds checking on command arguments by the LGServer service. The second issue, CVE-2008-1329, occurs due to insufficient verification of file uploads by the NetBackup service. In most cases, an attacker can potentially gain complete control of an affected installation. Additionally, only a server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected. Note: the previously published patches for CVE-2007-3216 and CVE-2007-5005 did not fully address some issues. Mitigating Factors: Client installations are not affected. Severity: CA has given these vulnerabilities a maximum risk rating of High. Affected Products: CA ARCserve Backup for Laptops and Desktops r11.5 CA ARCserve Backup for Laptops and Desktops r11.1 SP2 CA ARCserve Backup for Laptops and Desktops r11.1 SP1 CA ARCserve Backup for Laptops and Desktops r11.1 CA ARCserve Backup for Laptops and Desktops r11.0 CA Desktop Management Suite 11.2 English CA Desktop Management Suite 11.2 localized CA Desktop Management Suite 11.1 Affected Platforms: Windows Status and Recommendation: CA has provided updates to address the vulnerabilities. CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.2 SP2: QO95512 CA ARCserve Backup for Laptops and Desktops 11.5: QO95513 CA Desktop Management Suite 11.2 English: QO95513 CA Desktop Management Suite 11.2 localized: QO95513 CA Desktop Management Suite 11.1: Upgrade to 11.1 C1. CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 and apply the latest patches. QI85497 How to determine if you are affected: For Windows: 1. Using Windows Explorer, locate the file rxRPC.dll. The file can be found in the following default locations: Product: CA ARCserve Backup for Laptops and Desktops 11.5 Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops Desktops\Explorer Product: CA ARCserve Backup for Laptops and Desktops 11.1 Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops Desktops\server Product: CA Desktop Management Suite 11.2 English Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI Product: CA Desktop Management Suite 11.2 localized Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI 2. Right click on the files and select Properties. 3. Select the General tab. 4. If the file date is earlier than indicated in the below table, the installation is vulnerable. Product File Name File Date / Size CA ARCserve Backup for Laptops and Desktops 11.5 rxRPC.dll February 18 2008 / 126976 CA ARCserve Backup for Laptops and Desktops 11.1 rxRPC.dll February 18 2008 / 114688 CA Desktop Management Suite 11.2 English rxRPC.dll February 18 2008 / 126976 CA Desktop Management Suite 11.2 localized rxRPC.dll February 18 2008 / 126976 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105 Solution Document Reference APARs: QO95512, QO95513, QI85497 CA Security Response Blog posting: CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/\ ca-arcserve-backup-for-laptops-and-desktops-server-and-ca-desktop-\ management-suite-multiple-vulnerabilities.aspx Reported By: Dyon Balding of Secunia Research CVE References: CVE-2008-1328 and CVE-2008-1329 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1329 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985
[Full-disclosure] CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability
Title: CA Multiple Products DSM ListCtrl ActiveX Control Buffer
Overflow Vulnerability
CVE: CVE-2008-1472
CA Advisory Date: 2008-03-28
Reported By: Exploit code posted at milw0rm.com
Impact: A remote attacker can cause a denial of service or execute
arbitrary code.
Summary: CA products that implement the DSM ListCtrl ActiveX
control are vulnerable to a buffer overflow condition that can
allow a remote attacker to cause a denial of service or execute
arbitrary code with the privileges of the user running the web
browser. The vulnerability, CVE-2008-1472, is due to insufficient
bounds checking on the ListCtrl AddColumn function.
Mitigating Factors: For BrightStor ARCserve Backup for Laptops
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.
Severity: CA has given this vulnerability a maximum risk rating
of High.
Affected Products:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
Affected Platforms:
Windows
Status and Recommendation:
CA has provided the following updates to address the
vulnerabilities.
BrightStor ARCserve Backup for Laptops and Desktops r11.5:
QO96102
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1):
QO96088
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a:
QO96092
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2:
QO96091
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1:
QO96090
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file ListCtrl.ocx. By
default, the file is in the C:\Program Files\CA\DSM\bin\
directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the below
table, the installation is vulnerable.
Product:
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1)
File Name: ListCtrl.ocx
File Version: 11.1.8124.0
Product:
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2
File Name: ListCtrl.ocx
File Version: 11.2.1000.16
Product:
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a
File Name: ListCtrl.ocx
File Version: 11.2.1000.16
Product:
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1,
BrightStor ARCserve Backup for Laptops and Desktops r11.5
File Name: ListCtrl.ocx
File Version: 11.2.1000.16
Workaround:
As a temporary workaround solution, disable the ListCtrl ActiveX
control in the registry by setting the kill bit on CLSID
{BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}. Disabling the control may
prevent the GUI from functioning correctly. Refer to Microsoft KB
article 240797
[Full-disclosure] Note about recently publicized CA BrightStor ActiveX exploit code
CA is reviewing exploit code that was posted on 2008-03-16 to the Milw0rm exploit archive web site. This exploit code is potentially associated with vulnerabilities that may exist in CA BrightStor ARCserve Backup for Laptops and Desktops and/or related products. CA will issue an advisory after we have completed our initial investigation. Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35970]: CA Products That Embed Ingres Authentication Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35970]: CA Products That Embed Ingres Authentication Vulnerability CA Vuln ID (CAID): 35970 CA Advisory Date: 2007-12-19 Reported By: Ingres Corporation Impact: Attacker can gain elevated privileges. Summary: A potential vulnerability exists in the Ingres software that is embedded in various CA products. This vulnerability exists only on Ingres 2.5 and Ingres 2.6 on Windows, and does not manifest itself on any Unix platform. Ingres r3 and Ingres 2006 are not affected. The vulnerability, CVE-2007-6334, is associated with users who connect after the first user being assigned the privileges and identity of the first user. In all reported instances, the application (typically an ASP.NET application using the Ingres ODBC driver) was running on Microsoft IIS Web server, and with the Integrated Windows Authentication (IWA) option enabled. While IWA is not enabled by default, it is a commonly used option. It should be noted that the Ingres .NET data provider is not affected. Mitigating Factors: The vulnerability exists only on Windows systems running Microsoft IIS Web server that have the Integrated Windows Authentication (IWA) option enabled. Severity: CA has given this vulnerability a High risk rating. Affected Products: All CA products that embed Ingres 2.5 and Ingres 2.6, and also run Microsoft IIS Web server with the Integrated Windows Authentication (IWA) option enabled. Affected Platforms: Windows Status and Recommendation (URLs may wrap): Ingres has issued the following patches to address the vulnerabilities. Ingres 2.6 Single-Byte patch - Ingres 2.6 Single-Byte patch ftp://ftp.ca.com/caproducts/ips/MDB/Generic_Ingres/IIS_Vulnerability/patch- 2.6.0701.12467-win-x86.zip Ingres 2.6 Double-Byte patch- Ingres 2.6 Double-Byte patch ftp://ftp.ca.com/caproducts/ips/MDB/Generic_Ingres/IIS_Vulnerability/patch- 2.6.0701.12473-win-x86-DBL.zip Ingres 2.5 Single Byte Patch- Ingres 2.5 Single Byte patch ftp://ftp.ca.com/caproducts/ips/MDB/Generic_Ingres/IIS_Vulnerability/patch- 2.5.0605.12291-win-x86.zip Potential problems installing the patches: While testing these patches, CA identified an install issue when the user is presented with the option to make a backup of the Ingres installation. In cases where a space is in the path, the path is not properly read. The backup does get taken and is by default stored in the %II_SYSTEM%\ingres\install\backup directory. Additionally, if the user happens to press the Set Directory button, the path will be displayed. Clicking ok will result in a message stating ... spaces are not supported in paths... . This also is an error; pressing cancel will return the user to the first screen with the default path, and while the displayed path is terminated at a space, the actual path does work. To avoid this issue, use DOS 8.3 definitions (ex. C:\progra~1\CA\ingres). How to determine if you are affected: Check the %II_SYSTEM%\ingres\version.rel file to identify the Ingres version. If the installed version of Ingres 2.6 is a Double-Byte version (should have DBL referenced), please download the 2.6 Double-Byte patch. Otherwise, use the Single-Byte patch. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Important Security Notice for Customers Using Products that Embed Ingres on Microsoft Windows ONLY http://supportconnectw.ca.com/public/ingres/infodocs/ingresmswin-secnot.asp Solution Document Reference APARs: N/A CA Security Response Blog posting: CA Products That Embed Ingres Authentication Vulnerability http://community.ca.com/blogs/casecurityresponseblog/archive/2007/12/19.asp x CA Vuln ID (CAID): 35970 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35970 Reported By: Ingres Corporation http://ingres.com/support/security.php http://ingres.com/support/security-alertDec17.php CVE References: CVE-2007-6334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6334 OSVDB References: 39358 http://osvdb.org/39358 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFHbBONeSWR3+KUGYURAtV8AKCHCW/DwVR5vSoekJzV4NUHTchVOgCfZbvv rcXOC6qogf8vSaNQPgTFWfI= =WFZ6
[Full-disclosure] [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities CA Vuln ID (CAID): 35724, 35725, 35726 CA Advisory Date: 2007-10-10 CA Advisory Updated: 2007-12-05 Reported By: Anonymous researcher working with the iDefense VCP (CVE-2007-5325) Dyon Balding of Secunia Research (CVE-2007-5326) Cocoruder of Fortinet Security Research Team (CVE-2007-5327) Tenable Network Security (CVE-2007-5328) Pedram Amini of DV Labs (dvlabs.tippingpoint.com) (CVE-2007-5329) Dyon Balding of Secunia Research (CVE-2007-5330) eEye Digital Security (CVE-2007-5331) shirkdog (CVE-2007-5332) Impact: A remote attacker can cause a denial of service, execute arbitrary code, or take privileged action. Summary: Multiple vulnerabilities exist in BrightStor ARCserve Backup that can allow a remote attacker to cause a denial of service, execute arbitrary code, or take privileged action. The first set of vulnerabilities, CVE-2007-5325, CVE-2007-5326, and CVE-2007-5327, occur due to insufficient bounds checking by multiple components. The second vulnerability, CVE-2007-5328, occurs due to privileged functions being available for use without proper authorization. The third set of vulnerabilities, CVE-2007-5329, CVE-2007-5330, CVE-2007-5331, and CVE-2007-5332, are due to a memory corruption occurring with the processing of RPC procedure arguments by multiple services. The vulnerabilities allow an attacker to cause a denial of service, or potentially to execute arbitrary code. Note: Updated patches are available. The original patches did not fully address some issues. Special thanks to Dyon Balding of Secunia and to Fortinet for reporting issues with the original patches. Mitigating Factors: None Severity: CA has given these vulnerabilities a maximum risk rating of High. Affected Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11 for Windows BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerabilities. BrightStor ARCserve Backup r11.5 - QO92996 BrightStor ARCserve Backup r11.1, - QO92849 BrightStor ARCserve Backup r11.0 - Upgrade to 11.1 and apply the latest patches. BrightStor Enterprise Backup r10.5 - Upgrade to 11.5 and apply the latest patches. BrightStor ARCserve Backup v9.01 - QO92848 CA Protection Suites r2: QO92996 How to determine if you are affected: 1. Using Windows Explorer, locate the file “asdbapi.dll”. By default, the file is located in the “C:\Program Files\CA\BrightStor ARCserve Backup” directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Version File NameTimestampFile Size 11.5 asdbapi.dll 10/24/2007 08:43:08 1249354 bytes 11.1 asdbapi.dll 10/19/2007 17:56:00 856064 bytes 9.01 asdbapi.dll 10/19/2007 18:02:22 700416 bytes * For Protection Suites r2, follow instructions for BrightStor ARCserve Backup r11.5. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ BrightStor ARCserve Backup Security Notice http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp Solution Document Reference APARs: QO92996, QO92849, QO92848, QO92996 CA Security Response Blog posting: New patches available to address CA BrightStor ARCserve Backup multiple vulnerabilities http://community.ca.com/blogs/casecurityresponseblog/archive/2007/12/05.asp x CA Vuln ID (CAID): 35724, 35725, 35726 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35724 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35725 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35726 Reported By: Anonymous researcher working with the iDefense VCP (CVE-2007-5325) http://labs.idefense.com/intelligence/vulnerabilities/ Dyon Balding of Secunia Research (CVE-2007-5326) CA BrightStor ARCserve Backup RPC String Buffer Overflow http://secunia.com/secunia_research/2007-49/advisory/ Cocoruder of Fortinet Security Research Team (CVE-2007-5327) Advisory: Vulnerability Affecting CA BrightStor ARCServe BackUp http://www.fortiguardcenter.com/advisory/FGA-2007-11.html Tenable Network Security (CVE-2007-5328) http://www.tenablesecurity.com/solutions/ http://www.zerodayinitiative.com/advisories/ZDI-07-069.html Pedram Amini of DV Labs (dvlabs.tippingpoint.com) (CVE-2007-5329) http://www.zerodayinitiative.com/advisories.html Dyon Balding of Secunia Research (CVE-2007-5330) CA BrightStor ARCserve
Re: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Exposure Vulnerability
Date: Wed, 28 Nov 2007 03:32:51 + From: cocoruder. [EMAIL PROTECTED] Subject: Re: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Expos To: full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED] it is so amazing that the vendor's advisory has been released more than one month ago, (see my advisory of a similar vul at http://ruder.cdut.net/blogview.asp?logID=221), and another thing is that I have tested my reported vul again after CA's patch released one month ago, but in fact they have not fixed it!! I report it again to CA but there is no response, I guess CA is making an international joke with us:), or because this product is so bad that they will not support it any more? welcome to my blog:http://ruder.cdut.net cocoruder, We have not received any email from [EMAIL PROTECTED], but we did receive an email about this issue from [EMAIL PROTECTED] on 2007-10-15. We responded to that email on 2007-10-15. FYI, we are currently wrapping up QA on new patches, and we have contacted [EMAIL PROTECTED] with details. Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35754]: CA Host-Based Intrusion Prevention System (CA HIPS) Server Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35754]: CA Host-Based Intrusion Prevention System (CA HIPS) Server Vulnerability CA Vuln ID (CAID): 35754 CA Advisory Date: 2007-10-18 Reported By: David Maciejak Impact: A remote attacker can take unauthorized administrative action. Summary: CA Host-Based Intrusion Prevention System (CA HIPS) contains a vulnerability in the Server installation that can allow a remote attacker to take unauthorized administrative action. The vulnerability, CVE-2007-5472, occurs due to raw request data being displayed in the log when viewed by a browser. Note: The client installation is not vulnerable. Mitigating Factors: The client installation is not vulnerable. Severity: CA has given these vulnerabilities a maximum risk rating of Medium. Affected Products: CA Host-Based Intrusion Prevention System (CA HIPS) r8 Affected Platforms: Windows Status and Recommendation: CA has issued the following patch to address the vulnerabilities. CA Host-Based Intrusion Prevention System (CA HIPS) r8: QO91494 How to determine if you are affected: 1. Log in to the HIPS Administration Console. 2. Scroll down to the end of the Main page. 3. Press the About link on the right bottom side of the page. 4. Check the version. If the version is less than 8.0.0.93, the installation is vulnerable. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Security Notice for CA Host-Based Intrusion Prevention System (CA HIPS) Server http://supportconnectw.ca.com/public/cahips/infodocs/cahips-secnotice.asp Solution Document Reference APARs: QO91494 CA Security Advisor posting: CA Host-Based Intrusion Prevention System (CA HIPS) Server Vulnerability http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=158327 CA Vuln ID (CAID): 35754 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35754 Reported By: David Maciejak CVE References: CVE-2007-5472 - log content injection http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5472 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFHGLXzeSWR3+KUGYURAqOKAJ0Rb7guqHOhE09kltasVDwVGsIWKwCfaMo+ QeTHkZr5pouSgINwhYjS/Gg= =A6gu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities CA Vuln ID (CAID): 35724, 35725, 35726 CA Advisory Date: 2007-10-10 Reported By: Anonymous researcher working with the iDefense VCP (CVE-2007-5325) Dyon Balding of Secunia Research (CVE-2007-5326) Cocoruder of Fortinet Security Research Team (CVE-2007-5327) Tenable Network Security (CVE-2007-5328) Pedram Amini of DV Labs (dvlabs.tippingpoint.com) (CVE-2007-5329) Dyon Balding of Secunia Research (CVE-2007-5330) eEye Digital Security (CVE-2007-5331) shirkdog (CVE-2007-5332) Impact: A remote attacker can cause a denial of service, execute arbitrary code, or take privileged action. Summary: Multiple vulnerabilities exist in BrightStor ARCserve Backup that can allow a remote attacker to cause a denial of service, execute arbitrary code, or take privileged action. The first set of vulnerabilities, CVE-2007-5325, CVE-2007-5326, and CVE-2007-5327, occur due to insufficient bounds checking by multiple components. The second vulnerability, CVE-2007-5328, occurs due to privileged functions being available for use without proper authorization. The third set of vulnerabilities, CVE-2007-5329, CVE-2007-5330, CVE-2007-5331, and CVE-2007-5332, are due to a memory corruption occurring with the processing of RPC procedure arguments by multiple services. The vulnerabilities allow an attacker to cause a denial of service, or potentially to execute arbitrary code. Mitigating Factors: None Severity: CA has given these vulnerabilities a maximum risk rating of High. Affected Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11 for Windows BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerabilities. BrightStor ARCserve Backup r11.5 - QO91094 BrightStor ARCserve Backup r11.1 - QO91097 BrightStor ARCserve Backup r11.0 - Upgrade to 11.1 and apply the latest patches. BrightStor Enterprise Backup r10.5 - Upgrade to 11.5 and apply the latest patches. BrightStor ARCserve Backup v9.01 - QO91098 CA Protection Suites r2 - QO91094 How to determine if you are affected: 1. Using Windows Explorer, locate the file “mediasvr.exe”. By default, the file is located in the “C:\Program Files\CA\BrightStor ARCserve Backup” directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Version File Name Timestamp File Size 11.5 mediasvr.exe 06/28/2007 15:16:20 110592 bytes 11.1 mediasvr.exe 07/02/2007 10:39:50 106496 bytes 9.01 mediasvr.exe 07/02/2007 13:57:50 98304 bytes * For Protection Suites r2, follow instructions for BrightStor ARCserve Backup r11.5. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ BrightStor ARCserve Backup Security Notice http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp Solution Document Reference APARs: QO91094, QO91097, QO91098, QO91094 CA Security Advisor posting: CA BrightStor ARCserve Backup Multiple Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=XX CA Vuln ID (CAID): 35724, 35725, 35726 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35724 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35725 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35726 Reported By: Anonymous researcher working with the iDefense VCP (CVE-2007-5325) http://labs.idefense.com/intelligence/vulnerabilities/ Dyon Balding of Secunia Research (CVE-2007-5326) CA BrightStor ARCserve Backup RPC String Buffer Overflow http://secunia.com/secunia_research/2007-49/advisory/ Cocoruder of Fortinet Security Research Team (CVE-2007-5327) Advisory: Vulnerability Affecting CA BrightStor ARCServe BackUp http://www.fortiguardcenter.com/advisory/FGA-2007-11.html Tenable Network Security (CVE-2007-5328) http://www.tenablesecurity.com/solutions/ Pedram Amini of DV Labs (dvlabs.tippingpoint.com) (CVE-2007-5329) http://www.zerodayinitiative.com/advisories.html Dyon Balding of Secunia Research (CVE-2007-5330) CA BrightStor ARCserve Backup RPC Argument Parsing Vulnerabilities http://secunia.com/secunia_research/2007-62/advisory/ eEye Digital Security (CVE-2007-5331) http://research.eeye.com/html/advisories/published/ http://research.eeye.com/html/advisories/upcoming/20070618.html shirkdog (CVE-2007-5332) Shirkdog Security Advisory SHK-005 - Computer
[Full-disclosure] [CAID 35690, 35691, 35692]: CA BrightStor Hierarchical Storage Manager CsAgent Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35690, 35691, 35692]: CA BrightStor Hierarchical Storage Manager CsAgent Multiple Vulnerabilities CA Vuln ID (CAID): 35690, 35691, 35692 CA Advisory Date: 2007-09-26 Reported By: Sean Larsson, iDefense Labs anonymous researcher working with the iDefense VCP Aaron Portnoy of DV Labs (dvlabs.tippingpoint.com) Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: Multiple vulnerabilities exist in the CsAgent service that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. The first set of vulnerabilities, CVE-2007-5082, occur due to insufficient bounds checking in multiple CsAgent service commands. The second set of vulnerabilities, CVE-2007-5083, occur due to insufficient validation of integer values in multiple CsAgent service commands, which can lead to buffer overflow. The third set of vulnerabilities, CVE-2007-5084, occur due to insufficient validation of strings used in SQL statements in multiple CsAgent service commands. Mitigating Factors: None Severity: CA has given these vulnerabilities a maximum risk rating of High. Affected Products: CA BrightStor Hierarchical Storage Manager r11.5 Affected Platforms: Windows Status and Recommendation: CA has provided an update to address the vulnerabilities. Upgrade to BrightStor Hierarchical Storage Manager r11.6. BrightStor Hierarchical Storage Manager r11.6: http://supportconnectw.ca.com/premium/bstorhsm/downloads/BHSMr11_6.zip How to determine if you are affected: Run the BrightStor HSM Administrator GUI and open Help-About from the toolbar to view the version. If the version is less than 11.6, the installation is vulnerable. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA BrightStor Hierarchical Storage Manager CsAgent Security Notice http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asp Solution Document Reference APARs: n/a CA Security Advisor posting: CA BrightStor Hierarchical Storage Manager CsAgent Multiple Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156444 CA Vuln ID (CAID): 35690, 35691, 35692 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35690 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35691 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35692 Reported By: Sean Larsson, iDefense Labs; an anonymous researcher working with the iDefense VCP; Aaron Portnoy of DV Labs (dvlabs.tippingpoint.com) iDefense advisory: http://labs.idefense.com/intelligence/vulnerabilities/ ZDI advisory: http://www.zerodayinitiative.com/advisories.html CVE References: CVE-2007-5082, CVE-2007-5083, CVE-2007-5084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5084 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFG+xexeSWR3+KUGYURAhk7AJ4tVOI2ScNc4AP1REiLPOLDs18jMACfYZOR RDyFmECjbqcPvM49/5mZyJw= =JLTp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities
-Original Message- From: Williams, James K Sent: Tuesday, July 24, 2007 7:56 PM To: 'full-disclosure@lists.grok.org.uk' Subject: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities Title: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities [...] CVE References: CVE-2006-5645, CVE-2007-3875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3875 [...] FYI - one of the CVE links above is incorrect. The correct URL is: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5645 Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability CA Vuln ID (CAID): 35527 CA Advisory Date: 2007-07-24 Reported By: Paul Mehta of ISS X-Force Impact: A remote attacker can execute arbitrary code. Summary: Multiple CA products that utilize CA Message Queuing (CAM / CAFT) software contain a buffer overflow vulnerability. The vulnerability, CVE-2007-0060, is a buffer overflow that can allow a remote attacker to execute arbitrary code by sending a specially crafted message to TCP port 3104. Mitigating Factors: None Severity: CA has given this vulnerability a High risk rating. Affected Versions of CA Message Queuing (CAM / CAFT): This vulnerability affects all versions of the CA Message Queuing software prior to v1.11 Build 54_4 on the specified platforms. i.e. CAM versions 1.04, 1.05, 1.06, 1.07, 1.10 (prior to Build 54_4) and 1.11 (prior to Build 54_4). Affected Products: Advantage Data Transport 3.0 BrightStor SAN Manager 11.1, 11.5 BrightStor Portal 11.1 CleverPath OLAP 5.1 CleverPath ECM 3.5 CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1 Unicenter Data Transport Option 2.0 Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1 Unicenter TNG 2.1, 2.2, 2.4, 2.4.2 Unicenter TNG JPN 2.2 Affected Platforms: Windows and NetWare Platforms NOT affected: AIX, AS/400, DG Intel, DG Motorola, DYNIX, HP-UX, IRIX, Linux Intel, Linux s/390, MVS, Open VMS, OS/2, OSF1, Solaris Intel, Solaris Sparc and UnixWare. Status and Recommendation: CA has made patches available for all affected products. These patches are independent of the CA Software that installed CAM. Simply select the patch appropriate to the platform, and the installed version of CAM, and follow the patch application instructions. You should also review the product home pages on SupportConnect for any additional product specific instructions. Solutions for CAM: Platform Solution Windows QO89945 NetWare QO89943 How to determine if you are affected: Determining CAM versions: Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory. The example below indicates that CAM version 1.11 build 27 increment 2 is running. E:\camstat CAM – machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16 Determining the CAM install directory: Windows: The install location is specified by the %CAI_MSQ% environment variable. Unix/Linux/Mac: The /etc/catngcampath text file holds the CAM install location. Workaround: The affected listening port can be disabled by creating or updating CAM's configuration file, CAM.CFG, with the following entry under the *CONFIG section: *CONFIG cas_port=0 The CA Messaging Server must be recycled in order for this to take effect. We advise that products dependent upon CAM should be shutdown prior to recycling CAM. Once dependent products have been shutdown, CAM can be recycled with the following commands: On Windows: camclose cam start On NetWare: load camclose load cam start Once CAM has been restarted, any CAM dependent products that were shutdown can be restarted. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Security Notice for CA Message Queuing (CAM / CAFT) vulnerability http://supportconnectw.ca.com/public/dto_transportit/infodocs/camsgquevul-s ecnot.asp Solution Document Reference APARs: QO89945, QO89943 CA Security Advisor posting: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149809 CA Vuln ID (CAID): 35527 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35527 Reported By: Paul Mehta of ISS X-Force ISS X-Force advisory: Computer Associates (CA) Message Queuing buffer overflow http://iss.net/threats/272.html http://xforce.iss.net/xforce/xfdb/32234 CVE References: CVE-2007-0060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0060 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical
[Full-disclosure] [CAID 35524]: CA eTrust Intrusion Detection caller.dll Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Title: [CAID 35524]: eTrust Intrusion Detection caller.dll
Vulnerability
CA Vuln ID (CAID): 35524
CA Advisory Date: 2007-07-24
Reported By: Sebastian Apelt working with the iDefense VCP
Impact: A remote attacker can execute arbitrary code.
Summary: CA eTrust Intrusion Detection contains a vulnerability
associated with the caller.dll ActiveX control. The vulnerability,
CVE-2007-3302, is due to the caller.dll ActiveX control being
marked safe for scripting. An attacker, who can lure a user into
visiting a malicious website, can potentially gain complete
control of an affected installation.
Mitigating Factors:
1) Attack can only be executed if victim is using a web browser.
2) Attacker must trick victim into visiting a malicious web page.
3) Malicious code will be executed with privileges of currently
logged in user.
Severity: CA has given this vulnerability a High risk rating.
Affected Products:
eTrust Intrusion Detection 3.0
eTrust Intrusion Detection 3.0 SP1
Affected Platforms:
Windows
Status and Recommendation:
CA has provided updates to address the vulnerabilities.
eTrust Intrusion Detection 3.0 - apply QO89893
eTrust Intrusion Detection 3.0 SP1 - apply QO89881
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file “caller.dll”. By
default, the file is located in the
“C:\Program Files\CA\eTrust Intrusion Detection\Common”
directory.
2. Right click on the file and select Properties.
3. For eTrust Intrusion Detection 3.0 SP1, select the Version tab,
or, for eTrust Intrusion Detection 3.0, select the General tab.
4. If the file version or date is earlier than indicated in the
table below, the installation is vulnerable.
FileRelease File Version File Date, Size
caller.dll 3.0 NA7/13/2007, 32768 bytes
caller.dll 3.0 SP1 3.0.5.81 NA
Workaround:
As a workaround solution, set the kill bit on the caller.dll
ActiveX control.
Note: Before proceeding, review the following Microsoft knowledge
base article on disabling ActiveX controls:
http://support.microsoft.com/kb/240797
1. Using the registry editor, navigate to HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
{41266C21-18D8-414B-88C0-8DCA6C25CEA0}. If the key does not
exist, create it.
2. Create a DWORD value named Compatibility Flags with a value
data of 0x0400.
3. Restart Internet Explorer.
References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
Security Notice for eTrust Intrusion Detection caller.dll
Vulnerability
http://supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-c
allervilnsecnot.asp
Solution Document Reference APARs:
QO89893, QO89881
CA Security Advisor posting:
CA eTrust Intrusion Detection caller.dll vulnerability
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149811
CA Vuln ID (CAID): 35524
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35524
Reported By: Sebastian Apelt working with the iDefense VCP
iDefense advisory:
Computer Associates eTrust Intrusion Detection CallCode ActiveX
Control Code Execution Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=568
CVE References:
CVE-2007-3302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3302
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our Submit a
Vulnerability form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFGpp5QeSWR3+KUGYURArfgAJ4j081YwylGplyT9S3zKo/zFQNP1QCeKoAV
ksmgrOztC75JswvTOO8Dy6w=
=vteU
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities CA Vuln ID (CAID): 35525, 35526 CA Advisory Date: 2007-07-24 Reported By: CVE-2006-5645 - Titon of BastardLabs and Damian Put pucik at overflow dot pl working with the iDefense VCP. CVE-2007-3875 - An anonymous researcher working with the iDefense VCP. Sergio Alvarez of n.runs AG also reported these issues. Impact: A remote attacker can cause a denial of service. Summary: CA products that utilize the Arclib library contain two denial of service vulnerabilities. The first vulnerability, CVE-2007-3875, is due to an application hang when processing a specially malformed CHM file. The second vulnerability, CVE-2006-5645, is due to an application hang when processing a specially malformed RAR file. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0, 7.1, r8, r8.1 CA Anti-Virus 2007 (v8) eTrust EZ Antivirus r7, r6.1 CA Internet Security Suite 2007 (v3) eTrust Internet Security Suite r1, r2 eTrust EZ Armor r1, r2, r3.x CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1 CA Protection Suites r2, r3 CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1, 8.0 CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) r8, 8.1 CA Anti-Spyware 2007 Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11, r11.1 BrightStor ARCserve Backup v9.01, r11 for Windows, r11.1, r11.5 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Client agent for Windows eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1 CA Common Services (CCS) r11, r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) Status and Recommendation: CA has provided an update to address the vulnerabilities. The updated Arclib library is provided in automatic content updates with most products. Ensure that the latest content update is installed. In the case where automatic updates are not available, use the following product specific instructions. CA Secure Content Manager 1.1: Apply QO89469. CA Secure Content Manager 8.0: Apply QO87114. Unicenter Network and Systems Management (NSM) r3.0: Apply QO89141. Unicenter Network and Systems Management (NSM) r3.1: Apply QO89139. Unicenter Network and Systems Management (NSM) r11: Apply QO89140. Unicenter Network and Systems Management (NSM) r11.1: Apply QO89138. CA Common Services (CCS) r11: Apply QO89140. CA Common Services (CCS) r11.1: Apply QO89138. CA Anti-Virus Gateway 7.1: Apply QO89381. eTrust Intrusion Detection 2.0 SP1: Apply QO89474. eTrust Intrusion Detection 3.0: Apply QO86925. eTrust Intrusion Detection 3.0 SP1: Apply QO86923. CA Protection Suites r2: Apply updates for CA Anti-Virus 7.1. BrightStor ARCserve Backup and BrightStor ARCserve Client agent for Windows: Manually replace the arclib.dll file with the one provided in the CA Anti-Virus 7.1 fix set. 1. Locate and rename the existing arclib.dll file. 2. Download the CA Anti-Virus 7.1 patch that matches the host operating system. 3. Unpack the patch and place the arclib.dll file in directory where the existing arclib.dll file was found in step 1. 4. Reboot the host. CA Anti-Virus 7.1 (non Windows): T229327 – Solaris – QO86831 T229328 – Netware – QO86832 T229329 – MacPPC – QO86833 T229330 – MacIntel – QO86834 T229331 – Linux390 – QO86835 T229332 – Linux – QO86836 T229333 – HP-UX – QO86837 CA Anti-Virus 7.1 (Windows): T229337 – NT (32 bit) – QO86843 T229338 – NT (AMD64) – QO86846 CA Threat Manager for the Enterprise r8.1 (non Windows): T229334 – Linux – QO86839 T229335 – Mac – QO86828 T229336 – Solaris – QO86829 How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file “arclib.dll”. By default, the file is located in the “C:\Program Files\CA\SharedComponents\ScanEngine” directory(*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated in the table below, the installation is vulnerable. File NameFile Version arclib.dll 7.3.0.9 *For eTrust Intrusion Detection 2.0 the file is located in “Program Files\eTrust\Intrusion Detection\Common”, and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in “Program Files\CA\Intrusion Detection\Common”. For CA Anti-Virus r8.1 on non-Windows: Use the compver utility provided on the CD to determine the version of arclib.dll. The same version information above applies. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Security Notice for CA Products Containing Arclib
[Full-disclosure] [CAID 35515]: CA Products Alert Service RPC Procedure Buffer Overflow Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35515]: CA Products Alert Service RPC Procedure Buffer Overflow Vulnerabilities CA Vuln ID (CAID): 35515 CA Advisory Date: 2007-07-17 Reported By: Anonymous researcher working with the iDefense VCP Impact: Remote attacker can cause a denial of service or execute arbitrary code. Summary: Multiple CA products that utilize Alert service functionality contain multiple vulnerabilities. The vulnerabilities, CVE-2007-3825, are due to insufficient bounds checking on received data by certain RPC procedures. An attacker can exploit these buffer overflows to execute arbitrary code or cause service failure. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Protection Suites r3 BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11 for Windows BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 BrightStor ARCserve Client agent for Windows Affected Platforms: Microsoft Windows Status and Recommendation: CA recommends that customers apply the update to address the vulnerabilities. The updated Alert service must be manually installed. For all affected products, apply QO89817. http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnoti ce.asp How to determine if you are affected: 1. Using Windows Explorer, locate the file alert.exe. By default, the file is located in the C:\Program Files\CA\SharedComponents\Alert directory. 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the alert.exe file version is less than 8.0.255.0, the installation is vulnerable. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Security Notice for CA products running the Alert service http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnoti ce.asp Solution Document Reference APARs: QO89817 CA Security Advisor posting: CA Products Alert Service RPC Procedures Buffer Overflow Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149081 CA Vuln ID (CAID): 35515 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35515 Reported By: iDefense iDefense Advisory: Computer Associates Alert Notification Server Multiple Buffer Overflow Vulnerabilities http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=561 CVE References: CVE-2007-3825 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3825 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFGn6lHeSWR3+KUGYURArGzAJ4+EezAZQC7CVoGOB3IZpJSG1afqQCcDgBB e05WG+VbM/EProEv5r0zz2I= =vCWo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35450, 35451, 35452, 35453]: CA Products That Embed Ingres Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35450, 35451, 35452, 35453]: CA Products That Embed Ingres Multiple Vulnerabilities CA Vuln ID (CAID): 35450, 35451, 35452, 35453 CA Advisory Date: 2007-06-21 Reported By: NGSSoftware, and iDefense Impact: Attackers can potentially execute arbitrary code, or overwrite files. Summary: Various CA products that embed Ingres products contain multiple vulnerabilities that can allow an attacker to potentially execute arbitrary code. CA has issued fixes, to address all of these vulnerabilities, for all supported CA products that may be affected. 1) Ingres controllable pointer overwrite vulnerability (reported by NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450] Description: An unauthenticated attacker can potentially execute arbitrary code within the context of the database server. 2) Ingres remote unauthenticated pointer overwrite #2 (reported by NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450] Description: An unauthenticated attacker can exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server. 3) Ingres wakeup file overwrite (reported by NGSSoftware) [Ingres bug 115913, CVE-2007-3337, CAID 35451] Description: The wakeup binary creates a file named alarmwkp.def in the current directory, truncating the file if it already exists. The wakeup binary is setuid ingres and world-executable. Consequently, an attacker can truncate a file with the privileges of the ingres user. 4) Ingres uuid_from_char stack overflow (reported by NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452] Description: An attacker can pass a long string as an argument to uuid_from_char() to cause a stack buffer overflow and the saved returned address can be overwritten. 5) Ingres verifydb local stack overflow (reported by NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452] Description: A local attacker can exploit a stack overflow in the Ingres verifydb utility duve_get_args function. 6) Communication server heap corruption (reported by iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453] Description: An attacker can execute arbitrary code within the context of the communications server (iigcc.exe). This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2023. 7) Data Access/JDBC server heap corruption (reported by iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453] Description: An attacker can execute arbitrary code within the context of the Data Access server (iigcd.exe) in r3 or the JDCB server in older releases. This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2022. Mitigating Factors: None Severity: CA has given these vulnerabilities a cumulative High risk rating. Affected Products: Advantage Data Transformer r2.2 AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1 AllFusion Harvest Change Manager r7, r7.1 BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and Mainframe Linux) BrightStor ARCserve Backup for Laptops and Desktops r11.5 BrightStor Enterprise Backup (Unix only) r10.5 BrightStor Storage Command Center r11.5 BrightStor Storage Resource Manager r11.5 CleverPath Aion Business Rules Expert r10.1 CleverPath Aion Business Process Monitoring r10.1 CleverPath Predictive Analysis Server r3 DocServer 1.1 eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2 eTrust Audit r8 SP2 eTrust Directory r8.1 eTrust IAM Suite r8.0 eTrust IAM Toolkit r8.0, r8.1 eTrust Identity Manager r8.1 eTrust Network Forensics r8.1 eTrust Secure Content Manager r8 eTrust Single Sign-On r7, r8, r8.1 eTrust Web Access Control 1.0 Unicenter Advanced Systems Management r11 Unicenter Asset Intelligence r11 Unicenter Asset Management r11 Unicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11 Unicenter Database Command Center r11.1 Unicenter Desktop and Server Management r11 Unicenter Desktop Management Suite r11 Unicenter Enterprise Job Manager r1 SP3, r1 SP4 Unicenter Job Management Option r11 Unicenter Lightweight Portal 2 Unicenter Management Portal r3.1.1 Unicenter Network and Systems Management r3.0, r11 Unicenter Network and Systems Management - Tiered - Multi Platform r3.0 0305, r3.1 0403, r11.0 Unicenter Patch Management r11 Unicenter Remote Control 6, r11 Unicenter Service Accounting r11, r11.1 Unicenter Service Assure r2.2, r11, r11.1 Unicenter Service Catalog r11, r11.1 Unicenter Service Delivery r11.0, r11.1 Unicenter Service Intelligence r11 Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1 Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1, r11.2 Unicenter Software Delivery r11 Unicenter TNG 2.4, 2.4.2, 2.4.2J Unicenter Workload Control Center r1 SP3, r1 SP4 Unicenter Web Services Distributed Management 3.11, 3.50 Wily SOA Manager 7.1 Affected Platforms: All operating system platforms supported by the various CA products
[Full-disclosure] [CAID 35395, 35396]: CA Anti-Virus Engine CAB File Buffer Overflow Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35395, 35396]: CA Anti-Virus Engine CAB File Buffer Overflow Vulnerabilities CA Vuln ID (CAID): 35395, 35396 CA Advisory Date: 2007-06-05 Reported By: ZDI Impact: Remote attackers can cause a denial of service or potentially execute arbitrary code. Summary: CA Anti-Virus engine contains multiple vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued an update to address the vulnerabilities. The first vulnerability, CVE-2007-2863, is due to insufficient bounds checking on filenames contained in a CAB archive. The second vulnerability, CVE-2007-2863, is due to insufficient bounds checking on the coffFiles field. By using a specially malformed CAB file, an attacker can cause a crash or take unauthorized action on an affected system. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8, r8.1 CA Anti-Virus 2007 (v8) eTrust EZ Antivirus r7, r6.1 CA Internet Security Suite 2007 (v3) eTrust Internet Security Suite r1, r2 eTrust EZ Armor r1, r2, r3.x CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Protection Suites r2, r3 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0 CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1 Unicenter Network and Systems Management (NSM) r3.0 Unicenter Network and Systems Management (NSM) r3.1 Unicenter Network and Systems Management (NSM) r11 Unicenter Network and Systems Management (NSM) r11.1 BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11 for Windows BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Common Services CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) Affected Platforms: All Status and Recommendation: CA has issued content update 30.6 to address the vulnerabilities. The updated engine is provided with content updates. Ensure the latest content update is installed if the signature version is less than version 30.6. For BrightStor ARCserve Backup: 1. To update the signatures one time only, open a command window, change into the C:\Program Files\CA\SharedComponents\ScanEngine directory, and enter the following command: inodist /cfg inodist.ini 2. To update on a regular schedule: * Submit a GenericJob using the ARCserve Job Scheduler. Please search the BrightStor Administrator's Guide for 'Antivirus Maintenance' and follow the directions. Or * Use the above command line instruction with the AT Scheduler. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Security Notice for CA products implementing the Anti-Virus engine http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securit ynotice.asp CA Security Advisor posting: CA Anti-Virus Engine CAB File Buffer Overflow Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=144680 CAID: 35395, 35396 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35395 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35396 Reported By: ZDI ZDI Advisory: ZDI-07-034, ZDI-07-035 http://www.zerodayinitiative.com/advisories/ZDI-07-034.html http://www.zerodayinitiative.com/advisories/ZDI-07-035.html CVE References: CVE-2007-2863, CVE-2007-2864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864 OSVDB References: OSVDB-35244, OSVDB-35245 http://osvdb.org/35244 http://osvdb.org/35245 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFGaCeieSWR3+KUGYURAjhzAJ9YE7QIAvaDm/R7TOg96YXiNvSNpQCfQ0Qo FcIXmbHI7BXaL4/AegsbRf8= =EGDi -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA BrightStor ARCserve Backup Mediasvr.exe and caloggerd.exe Vulnerabilities
Title: CA BrightStor ARCserve Backup Mediasvr.exe and caloggerd.exe Vulnerabilities Notice Date: 2007-05-16 CA is aware that two functional exploit code samples were publicized on May 16, 2007. These two denial of service exploits are associated with vulnerabilities in CA BrightStor ARCserve Backup Mediasvr.exe and caloggerd.exe. We have verified that vulnerabilities do exist, and we are now working on a patch to address the issues. We have given these vulnerabilities a Medium risk rating. To mitigate the Mediasvr.exe vulnerability, CA recommends that BrightStor ARCserve Backup users implement the following temporary workaround: 1. Rename the mediasvr.exe file to a non-functional file name, such as mediasvc.exe.disable. 2. Then restart the CA BrightStor Tape Engine service. This will disable the command line functionality in the product (i.e. command line utilities such as ca_backup, ca_restore, ca_merge, ca_qmgr, ca_scan, etc will not work). After we have completed our analysis of these issues, we will post an update and patches on the CA SupportConnect website. If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form at http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35330, 35331]: CA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console Login and File Mapping Vulnerabilities
Title: [CAID 35330, 35331]: CA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console Login and File Mapping Vulnerabilities CA Vuln ID (CAID): 35330, 35331 CA Advisory Date: 2007-05-09 Reported By: ZDI, iDefense Impact: Attackers can cause a denial of service or potentially execute arbitrary code. Summary: CA Anti-Virus for the Enterprise, CA Threat Manager, and CA Anti-Spyware contain multiple vulnerabilities that can allow an attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2007-2522, is due to insufficient bounds checking on Console Server login credentials. A remote attacker can use carefully constructed authentication credentials to cause a stack based buffer overflow, which can potentially result in arbitrary code execution. The second vulnerability, CVE-2007-2523, is due to insufficient bounds checking in InoCore.dll. A local attacker can modify the contents of a file mapping to cause a stack based buffer overflow, which can potentially result in arbitrary code execution. This issue only affects CA Anti-Virus for the Enterprise and CA Threat Manager. Mitigating Factors: For CVE-2007-2522, the vulnerability applies only to an installation on the x86 platform with the Console Server installed. Severity: CA has given these vulnerabilities a combined High risk rating. Affected Products: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Threat Manager (formerly eTrust Integrated Threat Management) r8 CA Anti-Spyware for the Enterprise (formerly eTrust PestPatrol) r8 CA Protection Suites r3 Affected Platforms: Windows Status and Recommendation: CA has issued an update to address the vulnerabilities. The patched files are available as part of the product's automatic content update. The following components must be enabled in order to receive these updates: eTrust ITM Console Server must be enabled to receive InoWeb.exe updates, and eTrust ITM Common must be enabled to receive InoCore.dll updates. How to determine if the installation is affected: 1. Using Windows Explorer, locate the files InoWeb.exe and InoCore.dll. By default, the files are located in the C:\Program Files\CA\eTrustITM directory. 2. Right click on each of the files and select Properties. 3. Select the Version tab (or the Details tab if you are using Windows Vista). 4. If either file version is earlier than indicated below, the installation is vulnerable. File NameFile Version InoWeb.exe 8.0.448.0 InoTask.dll 8.0.448.0 Workaround: In situations where updating the product is not immediately feasible, the following workaround can be used as a temporary measure to reduce exposure. For CVE-2007-2522, filter access to TCP port 12168. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Security Notice for CA Anti-Virus for the Enterprise, CA Threat Manager, and CA Anti-Spyware http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp CA Security Advisor posting: CA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console Login and File Mapping Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=139626 CAID: 35330, 35331 CAID Advisory links: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35330 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35331 Reported By: iDefense iDefense Advisory: 05.09.07 : Computer Associates eTrust InoTask.exe Antivirus Buffer Overflow Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=530 Reported By: ZDI ZDI Advisory: ZDI-07-028 http://www.zerodayinitiative.com/advisories/ZDI-07-028.html CVE References: CVE-2007-2522, CVE-2007-2523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2523 OSVDB References: OSVDB-34585, OSVDB-34586 http://osvdb.org/34585 http://osvdb.org/34586 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] [CAID 35198, 35276]: CA BrightStor ARCserve Backup Media Server Vulnerabilities
Title: [CAID 35198, 35276]: CA BrightStor ARCserve Backup Media Server Vulnerabilities CA Vuln ID (CAID): 35198, 35276 CA Advisory Date: 2007-04-24 Reported By: ZDI Impact: Remote attackers can cause a denial of service or potentially execute arbitrary code. Summary: CA BrightStor ARCserve Backup Media Server contains multiple vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2007-1785, addresses an issue with the processing of an object handle. The second vulnerability, CVE-2007-2139, is due to insufficient bounds checking. In both cases, a remote unauthenticated attacker can execute arbitrary code with escalated privileges. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Protection Suites r2: CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows Status and Recommendation: Customers using vulnerable versions of BrightStor ARCserve Backup should upgrade with the latest patches, which are available for download from http://supportconnect.ca.com. BrightStor ARCserve Backup r11.5 SP3 - QO87569 BrightStor ARCserve Backup r11.5 SP2 - QO87570 BrightStor ARCserve Backup r11.1 - QO87573 BrightStor ARCserve Backup r11.0 - QI82917 BrightStor Enterprise Backup r10.5 - QO87575 BrightStor ARCserve Backup v9.01 - QO87574 How to determine if the installation is affected: 1. Using Windows Explorer, locate the file mediasvr.exe. 2. By default, the file is located in the C:\Program Files\CA\BrightStor ARCserve Backup directory. 3. Right click on the file and select Properties. 4. Select the General tab. 5. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Product Version File Name TimestampFile Size r11.5 SP3mediasvr.exe 04/03/2007 10:07:58 110592 r11.5 SP2mediasvr.exe 04/03/2007 10:00:04 106496 r11.1mediasvr.exe 04/03/2007 09:55:18 106496 r10.5mediasvr.exe 04/03/2007 09:46:26 106496 v9.01mediasvr.exe 04/03/2007 09:51:42 9830 Workaround: CA recommends that BrightStor ARCserve Backup users who cannot apply the patches at this time implement the following temporary workaround to mitigate the vulnerability: 1. Rename the mediasvr.exe file to a non-functional file name, such as mediasvr.exe.disable. 2. Restart the CA BrightStor Tape Engine service. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: BrightStor ARCserve Backup Media Server Security Notice http://supportconnectw.ca.com/public/storage/infodocs/babmedser-secnotice.asp Solution Document Reference APARs: QO87569, QO87570, QO87573, QI82917, QO87575, QO87574 CA Security Advisor posting: CA BrightStor ARCserve Backup Media Server Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=136549 CAID: 35198, 35276 CAID Advisory links: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35198 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35276 Reported By: ZDI ZDI Advisory: ZDI-07-022 http://www.zerodayinitiative.com/advisories/ZDI-07-022.html CVE References: CVE-2007-1785, CVE-2007-2139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2139 OSVDB References: OSVDB-34126, OSVDB-34127 http://osvdb.org/34126 http://osvdb.org/34127 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35277]: CA CleverPath Portal SQL Injection Vulnerability
Title: [CAID 35277]: CA CleverPath Portal SQL Injection Vulnerability CA Vuln ID (CAID): 35277 CA Advisory Date: 2007-04-24 Reported By: Hacktics Ltd Impact: Local attacker can access confidential data. Summary: CA CleverPath Portal contains a vulnerability that can allow a local attacker to access confidential data. The vulnerability is due to insufficient filtering of SQL search queries. CA has issued a patch to address the vulnerability. Mitigating Factors: 1. Lite Search is required for this scenario. 2. Data can not be modified using this technique. 3. Attacker must have a valid username and password. Severity: CA has given this vulnerability a Low risk rating. Affected Products: BrightStor Portal 11.1 CleverPath Aion 10, 10.1, 10.2 CleverPath Portal 4.51, 4.7, 4.71 eTrust Security Command Center (eTrust SCC) 1, 8 Unicenter Argis Portfolio Asset Management 11 Unicenter Database Management Portal 11, 11.1 Unicenter Enterprise Job Manager (UEJM) 3, 11 Unicenter Management Portal (UMP) 2, 3.1, 11 Affected Platforms: All supported platforms Status and Recommendation: Customers using vulnerable versions of CleverPath Portal should apply the patch, which is available for download from http://supportconnect.ca.com. CleverPath Portal solution - QO87601 How to determine if the installation is affected: To determine if you are using the Lite Search feature, log in to the Portal Administration area. On the Global Properties page, you can view the current Search Engine configuration. Workaround: None available References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: CleverPath Portal Security Notice http://supportconnectw.ca.com/public/cp/portal/infodocs/portal-secnot.asp Solution Document Reference APARs: QO87601 CA Security Advisor posting: CA CleverPath Portal SQL Injection Vulnerability http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=136879 CAID: 35277 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35277 Reported By: Hacktics Ltd Hacktics advisory: Security Advisory: CA CleverPath SQL Injection http://www.hacktics.com/AdvCleverPathApr07.html CVE Reference: CVE-2007-2230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2230 OSVDB Reference: OSVDB-34128 http://osvdb.org/34128 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA BrightStor ARCserve Backup Mediasvr.exe vulnerability
CA is aware that functional exploit code was publicized on March 30, 2007 for a CA BrightStor ARCserve Backup Mediasvr.exe vulnerability. We have verified that a high risk vulnerability does exist and we are now working on a patch to address the issue. CA recommends that BrightStor ARCserve Backup users implement the following temporary workaround to mitigate the vulnerability: 1) Rename the mediasvr.exe file to a non-functional file name, such as mediasvc.exe.disable. 2) Then restart the CA BrightStor Tape Engine service. This will disable the command line functionality in the product (i.e. command line utilities such as ca_backup, ca_restore, ca_merge, ca_qmgr, ca_scan, etc will not work). After we have completed our analysis of the issue, we will post an update and patches on the CA SupportConnect website. If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com. If you discover a vulnerability in CA products, please report your findings to vuln at ca dot com, or utilize our Submit a Vulnerability form at http://www3.ca.com/securityadvisor/vulninfo/submit.aspx. Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza, Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34817, 35058, 35158, 35159]: CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilities
Title: [CAID 34817, 35058, 35158, 35159]: CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilities CA Vuln ID (CAID): 34817, 35058, 35158, 35159 CA Advisory Date: 2007-03-15 Reported By: McAfee Impact: Remote attackers can cause a denial of service or potentially execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains four vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2006-6076, is due to insufficient bounds checking in the Tape Engine, which can result in a buffer overflow and arbitrary code execution. The second vulnerability, CVE-2007-0816, is related to how invalid parameters are handled by the portmapper (catirpc.dll) service. By sending a specially crafted request, a remote attacker can crash the service. The third vulnerability, CVE-2007-1447, is due to a memory corruption issue that occurs during processing of RPC procedure arguments by the Tape Engine. The vulnerability can result in a denial of service, and can potentially be exploited to execute arbitrary code. The fourth vulnerability, CVE-2007-1448, is due to the presence of an RPC function that, when called, will disable the Tape Engine interface. A remote attacker can make a request that will effectively shut down Tape Engine functionality. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Protection Suites r2: CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows Status and Recommendation: Customers using vulnerable versions of BrightStor ARCserve Backup should upgrade with the latest patches, which are available for download from http://supportconnect.ca.com. BrightStor ARCserve Backup r11.5 - QO86255 BrightStor ARCserve Backup r11.1 - QO86258 BrightStor ARCserve Backup r11.0 - QI82917 BrightStor Enterprise Backup r10.5 - QO86259 BrightStor ARCserve Backup v9.01 - QO86260 How to determine if the installation is affected: 1. Using Windows Explorer, locate the files tapeng.dll and catirpc.dll. By default, the files are located in the C:\Program Files\CA\BrightStor ARCserve Backup directory. 2. Right click on each of the files and select Properties. 3. Select the General tab. 4. If either file timestamp is earlier than what is indicated in the table below, the installation is vulnerable. File Name Timestamp File Size catirpc.dll02/12/2007 10:55:14102400 bytes tapeeng.dll02/02/2007 17:05:00876627 bytes Workaround: To reduce exposure, block unauthorized access to ports 6502 (TCP) and 111 (UDP). References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Security Notice for BrightStor ARCserve Backup Tape Engine and Portmapper http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp Solution Document Reference APARs: QO86255, QO86258, QI82917, QO86259, QO86260 CA Security Advisor posting: CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilities http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317 CAID: 34817, 35058, 35158, 35159 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34817 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35058 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35158 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35159 Reported By: McAfee McAfee advisory: http://www.mcafee.com/us/threat_center/security_advisories.html CVE References: CVE-2006-6076, CVE-2007-0816, CVE-2007-1447, CVE-2007-1448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0816 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1448 OSVDB Reference: OSVDB-32989, OSVDB-32990, OSVDB-32991, OSVDB-30637 http://osvdb.org/32989 http://osvdb.org/32990 http://osvdb.org/32991 http://osvdb.org/30637 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our
[Full-disclosure] [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability
Title: [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability CA Vuln ID (CAID): 35145 CA Advisory Date: 2007-03-08 Impact: Attackers can gain escalated privileges. Summary: The CA eTrust Admin GINA component contains a privilege escalation vulnerability within the reset password interface. Mitigating Factors: This vulnerability is exploitable only through physical interactive access or through Remote Desktop. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: eTrust Admin 8.1 SP2 (8.1.2) eTrust Admin 8.1 SP1 (8.1.1) eTrust Admin 8.1 (8.1.0) Affected Platforms: Windows Status and Recommendation: CA has issued an update to correct the vulnerability. Two update options are available for CA eTrust Admin 8.1 SP2 (8.1.2), 8.1 SP1 (8.1.1), 8.1 (8.1.0): 1. Uninstall GINA and install 8.1 SP2 CR6 or later. Or 2. Manually replace the affected cube.exe executable with the fixed cube.exe executable from the 8.1 SP2 CR6 Manual Updates zip file. The fixed cube.exe file has a date of February 11, 2007 and a file size of 53,248 bytes. Both updates can be found at the eTrust Admin Solutions and Patches page: http://supportconnectw.ca.com/public/etrust/etrustadmin-dmo/downloads/etrustadmin-updates.asp Workaround: If patch application is not feasible at this time, ensure that Remote Desktop is disabled and restrict physical host access to reduce exposure. How to determine if the installation is affected: 1. Using Windows Explorer, locate the file cube.exe. By default, the file is located in the C:\Program Files\CA\eTrust Admin GINA Option directory. 2. Right click on the file and select Properties. 3. Select the General tab. The installation is vulnerable if the creation date of cube.exe is earlier than February 11, 2007. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect security notice for this vulnerability: Security Notice for CA eTrust Admin GINA http://supportconnectw.ca.com/public/etrust/etrustadmin-dmo/infodocs/etrust_secnot_gina.asp CA Security Advisor posting: CA eTrust Admin Privilege Escalation Vulnerability http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101038 CAID: 35145 CAID advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35145 CVE Reference: CVE-2007-1345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1345 OSVDB Reference: OSVDB ID: 32722 http://osvdb.org/32722 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35112]: CA eTrust Intrusion Detection Denial of Service Vulnerability
Title: [CAID 35112]: CA eTrust Intrusion Detection Denial of Service Vulnerability CA Vuln ID (CAID): 35112 CA Advisory Date: 2007-02-27 Reported By: iDefense Impact: Remote attackers can cause a denial of service condition. Summary: CA eTrust Intrusion Detection contains a vulnerability that can allow a remote attacker to cause a denial of service condition. Mitigating Factors: None Severity: CA has given this vulnerability a Medium risk rating. Affected Products: eTrust Intrusion Detection 3.0 SP1 eTrust Intrusion Detection 3.0 eTrust Intrusion Detection 2.0 SP1 Affected Platforms: Windows Status and Recommendation: Customers with vulnerable versions of the eTrust Intrusion Detection product should upgrade with the latest patches, which are available for download from http://supportconnect.ca.com. eTrust Intrusion Detection 3.0 SP1 - QO85469 eTrust Intrusion Detection 3.0 - QO85472 eTrust Intrusion Detection 2.0 SP1 - QO85488 How to determine if the installation is affected: 1. Locate the file SW3eng.exe with Windows Explorer. For 3.0 and 3.0 SP1, the file is located in the Program Files\CA\eTrust\Intrusion Detection\engine\ directory. For 2.0, the file is located in the Program Files\eTrust\Intrusion Detection\engine\ directory. 2. Right click SW3eng.exe and choose Properties 3. Select the Version tab The installation is vulnerable if the version of SW3eng.exe is less than the version indicated below: eTrust Intrusion Detection 3.0 SP1 - SW3eng.exe 3.0.5.80 eTrust Intrusion Detection 3.0 - SW3eng.exe 3.0.2.07 eTrust Intrusion Detection 2.0 SP1 - SW3eng.exe 2.0.0.41 Workaround: In the case where applying the patch is not feasible, ensure only authorized hosts are permitted to connect to the Engine service port, 9191 by default, on the host running eTrust Intrusion Detection. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Security Notice for eTrust Intrusion Detection http://supportconnectw.ca.com/public/ca_common_docs/eid_secnotice.asp Solution Document Reference APARs: QO85469, QO85472, QO85488 CA Security Advisor posting: CA eTrust Intrusion Detection Denial of Service Vulnerability http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=100784 CAID: 35112 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35112 Reported By: iDefense iDefense advisory 02.27.07: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=484 CVE Reference: CVE-2007-1005 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1005 OSVDB Reference: OSVDB ID: 32290 http://osvdb.org/32290 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza, Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34993]: CA BrightStor ARCserve Backup for Laptops and Desktops Multiple Overflow Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 34993]: CA BrightStor ARCserve Backup for Laptops and Desktops Multiple Overflow Vulnerabilities CA Vuln ID (CAID): 34993 CA Advisory Date: 2007-01-23 Discovered By: Next Generation Security Software Impact: Remote attacker can cause a denial of service or execute arbitrary code. Summary: CA BrightStor ARCserve Backup for Laptops and Desktops contains multiple overflow conditions that can allow a remote attacker to cause a denial of service, or execute arbitrary code with local SYSTEM privileges on Windows. Mitigating Factors: None. Severity: CA has given these vulnerability issues a High risk rating. Affected Products: BrightStor Products: BrightStor ARCserve Backup for Laptops and Desktops r11.1 SP1 BrightStor ARCserve Backup for Laptops and Desktops r11.1 BrightStor ARCserve Backup for Laptops and Desktops r11.0 BrightStor Mobile Backup r4.0 CA Protection Suites r2: CA Desktop Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 CA Desktop Management Suite: DMS r11.0 DMS r11.1 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of the BrightStor ARCserve Backup Laptops Desktops product should upgrade to the latest versions, which are available for download from http://supportconnect.ca.com. BABLD r11.1 SP2 – SP2 does not contain the vulnerability, so there is no fix to apply. BABLD r11.1 SP1 - QO83833 BABLD r11.0 - QI85497 DMS r11.1 - QO85401 DMS r11.0 - QI85423 BMB r4.0 - QO85402 Determining if you are affected: Refer to the appropriate APAR for details. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup for Laptops Desktops http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimps ec-notice.asp Solution Document Reference APARs: QO83833, QI85497, QO85401, QI85423, QO85402 CA Security Advisor posting: CA BrightStor ARCserve Backup for Laptops and Desktops Multiple Overflow Vulnerabilities http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696 CAID: 34993 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34993 Discoverer: Next Generation Security Software Next Generation Security Software advisories: http://www.ngssoftware.com/ CVE Reference: CVE-2007-0449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449 OSVDB Reference: OSVDB ID: 31593 http://osvdb.org/31593 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED] If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza, Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBRbeBc3klkd/ilBmFEQJG0gCfU2yQqk/uLptvrB+sYb3eNQjPNdkAn08/ 8iR6Fz4tAXZYN+CXFy8awg8L =8k42 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34818]: CA Personal Firewall Multiple Privilege Escalation Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 34818]: CA Personal Firewall Multiple Privilege Escalation Vulnerabilities CA Vuln ID (CAID): 34818 CA Advisory Date: 2007-01-22 Discovered By: Reverse Mode Impact: Local attacker can gain escalated privileges. Summary: Multiple vulnerabilities have been discovered in CA Personal Firewall drivers. The vulnerabilities are due to errors in the HIPS Core (KmxStart.sys) and HIPS Firewall (KmxFw.sys) drivers. Local attackers can exploit these vulnerabilities to gain escalated privileges. Mitigating Factors: Local user account required for exploitation. Severity: CA has given these vulnerability issues a Medium risk rating. Affected Products: CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and below CA Internet Security Suite 2007 (v3.0) with CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and below Affected platforms: Microsoft Windows Status and Recommendation: CA has addressed this issue by providing a new automatic update on January 22, 2007. Customers running one of the affected products simply need to ensure that they have allowed this automatic update to take place. Determining if you are affected: To ensure that the update has taken place, customers can view the Help About screen in their CA Personal Firewall product and confirm that their engine version number is 1.0.176 or higher. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA Consumer Support Knowledge Document for this vulnerability: Medium Risk CA Personal Firewall Vulnerability - Multiple Privilege Escalation Vulnerabilities http://crm.my-etrust.com/login.asp?username=guesttarget=DOCUMENTopen parameter=2680 Solution Document Reference APARs: N/A CA Security Advisor posting: CA Personal Firewall Multiple Privilege Escalation Vulnerabilities http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97729 CAID: 34818 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34818 Discoverer: Reverse Mode http://www.reversemode.com/index.php?option=com_contenttask=viewid=2 7Itemid=2 CVE Reference: CVE-2006-6952 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6952 OSVDB References: OSVDB ID: 30497, 30498 http://osvdb.org/30497 http://osvdb.org/30498 Other References: [Reversemode advisory] Computer Associates HIPS Drivers - multiple local privilege escalation vulnerabilities. http://marc.theaimsgroup.com/?l=bugtraqm=116379521731676w=2 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED] If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza, Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBRbfulnklkd/ilBmFEQJ0NgCeOZpxVly2pVS+HQQhJiBCjG3sS+QAn2/f /Ky+kDlOxsKX69tdPU52QzGK =cOEr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice
[Full-disclosure] CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice TheGesus thegesus at gmail.com Wed Jan 10 16:38:47 GMT 2007 On 1/9/07, Williams, James K James.Williams at ca.com wrote: [...] CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice CA is aware that exploit code for a vulnerability in the Tape Engine component of CA BrightStor ARCserve Backup was posted on several security web sites and mailing lists on January 5, 2007. This vulnerability is fixed in BrightStor ARCserve Backup r11.5 Service Pack 2, and a patch for earlier versions of ARCserve will be available shortly. [...] Reference (URL may wrap): http://supportconnectw.ca.com/public/storage/infodocs/basbrtapeeng-secnotice.asp Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research [...] TRANSLATION: don't hold your breath waiting for a patch. Agreed. Two days is quite a bit longer than the current competitive static apnea world record of 9 min 04 sec. Patches for all other releases of BrightStor ARCserve Backup are now available via SupportConnect. http://SupportConnect.ca.com BAB r11.5 – QO84983 BAB r11.1 – QO84984 BAB r11.0 – QI82917 BEB r10.5 – QO84986 BAB v9.01 – QO84985 A formal advisory will be sent out later today. Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 34955, 34956, 34957, 34958, 34959, 34817]: BrightStor ARCserve Backup Multiple Overflow Vulnerabilities CA Vuln ID (CAID): 34955, 34956, 34957, 34958, 34959, 34817 CA Advisory Date: 2007-01-11 Discovered By: TippingPoint, IBM ISS, iDefense Labs Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains multiple overflow conditions that can allow a remote attacker to execute arbitrary code with local SYSTEM privileges on Windows. The BrightStor ARCserve Backup Tape Engine service, Mediasvr service, and ASCORE.dll file are affected. Mitigating Factors: None. Severity: CA has given these vulnerability issues a High risk rating. Affected Products: BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Protection Suites r2 Products: CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of BrightStor ARCserve Backup products should apply the appropriate fixes, which are now available for download at http://supportconnect.ca.com. BAB r11.5 - QO84983 BAB r11.1 - QO84984 BAB r11.0 - QI82917 BEB r10.5 - QO84986 BAB v9.01 - QO84985 Determining if you are affected: Refer to the appropriate APAR for details about updated module versions. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice .asp CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice http://supportconnectw.ca.com/public/storage/infodocs/basbrtapeeng-sec notice.asp Solution Document Reference APARs: Q084983, Q084984, QI82917, Q084986, Q084985 CA Security Advisor posting: BrightStor ARCserve Backup Multiple Overflow Vulnerabilities http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97428 CAID: 34955, 34956, 34957, 34958, 34959, 34817 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34955 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34956 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34957 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34958 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34959 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34817 Discoverer: TippingPoint, IBM ISS, iDefense Labs TippingPoint advisories: http://www.zerodayinitiative.com/advisories/ZDI-07-002.html http://www.zerodayinitiative.com/advisories/ZDI-07-003.html http://www.zerodayinitiative.com/advisories/ZDI-07-004.html IBM ISS advisories: http://www.iss.net/threats/252.html http://www.iss.net/threats/253.html iDefense Labs: http://labs.idefense.com/ CVE Reference: CVE-2006-5171, CVE-2006-5172, CVE-2007-0168, CVE-2007-0169, CVE-2006-6076, CVE-2006-6917 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5171 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6917 OSVDB Reference: OSVDB ID: 31317, 31318, 31319, 31320, 31327, 30637 http://osvdb.org/31317 http://osvdb.org/31318 http://osvdb.org/31319 http://osvdb.org/31320 http://osvdb.org/31327 http://osvdb.org/30637 Other references: http://www.lssec.com/advisories/LS-20061001.pdf http://www.lssec.com/advisories/LS-20060908.pdf http://www.lssec.com/advisories.html Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright © 2007 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBRabFdXklkd/ilBmFEQLqSgCfSAL4AOYryDvORCtzJxZgWflj2m0AoJH7 Sehm413jR7GtLovRHXpjfhHL =hwp5 -END PGP
[Full-disclosure] CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice CA is aware that exploit code for a vulnerability in the Tape Engine component of CA BrightStor ARCserve Backup was posted on several security web sites and mailing lists on January 5, 2007. This vulnerability is fixed in BrightStor ARCserve Backup r11.5 Service Pack 2, and a patch for earlier versions of ARCserve will be available shortly. CA recommends that customers employ best practices in securing their networks and in this case use filtering to block unauthorized access to port 6502 on hosts running the Tape Engine. Tape Engine is part of BrightStor ARCserve Backup server install. BrightStor ARCserve Backup client systems are not affected by this vulnerability. CA customers with questions or concerns should contact CA Technical Support. Reference (URL may wrap): http://supportconnectw.ca.com/public/storage/infodocs/basbrtapeeng-sec notice.asp Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBRaQHAHklkd/ilBmFEQIrBgCeJH6v/J9ROx0nNWmDKRnhAUeaqagAn0Qi KQw+NFhmm8wDXzN6WNdXt0iP =rSaQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34876]: CA CleverPath Portal Session Inheritance Vulnerability
Title: CAID 34876: CA CleverPath Portal Session Inheritance Vulnerability CA Vulnerability ID (CAID): 34876 CA Advisory Date: 2006-12-19 Discovered By: CA customer and CA Technical Support Impact: Remote attackers can potentially gain access to a user's Portal session. Summary: CA CleverPath Portal and other CA solutions that embed Portal technology contain a session verification vulnerability. In certain multiple Portal server configurations, a user who connects through one Portal server could conceivably inherit the Portal session and associated security authentication of a user running on another Portal server. Mitigating Factors: This problem only occurs when multiple Portal servers are sharing a common data store, and two of the Portal servers are started at exactly the same time. Typically, customers deploy multiple Portal servers in this type of configuration to utilize high-availability failover and load balancing. A multi CleverPath Portal server environment is not a default deployment, but it is an optional post installation configuration. None of the CA solutions that embed the Portal technology install into this scenario, or offer a multiple Portal server environment as a configurable option. However, it is conceivable that a knowledgeable administrator could have modified an embedded Portal environment to leverage multiple Portal servers. Severity: CA has given this vulnerability a Low risk rating. Affected Products: CleverPath Portal r4.51 CleverPath Portal r4.7 CleverPath Portal r4.71 BrightStor Portal r11.1 CleverPath Aion BPM r10 CleverPath Aion BPM r10.1 CleverPath Aion BPM r10.2 eTrust Security Command Center r1 eTrust Security Command Center r8 Unicenter Asset and Portfolio Management r11 Unicenter Database Management Portal r11 Unicenter Database Command Center r11.1 Unicenter Enterprise Job Manager r1 SP3 Unicenter Workload Control Center r1 SP4 Unicenter Management Portal r2.0 Unicenter Management Portal r3.1 Unicenter Management Portal r11.0 Affected platforms: All supported operating systems (Windows, Linux, and supported UNIX platforms). Status and Recommendation: The most prudent course of action for affected customers is to download and apply the corrective maintenance. If the maintenance cannot be applied right away, CA Technical Support recommends implementing interim operational process controls to ensure, when multiple Portal servers are sharing a common data store, that the server start times are duly staggered by at least one minute. Determining if you are affected: Affected Portal installations must meet both of the following criteria: 1) You are not at Portal maintenance version 4.71.001_179_060830 or higher. To determine your portal version: a. Login as a Portal Administrator. b. Choose My Profile from the upper right-hand portion of the main workplace. c. Click on the Portal Administration link. d. The Portal version will be displayed in the right-hand pane under Statistics. 2) You are running CA's Portal technology in a multi-server environment. To determine if you are running a multi-server environment: a. Login as a Portal Administrator. b. Choose My Profile from the upper right-hand portion of the main workplace. c. Click on the Portal Administration link. d. If the Jump to Portal menu appears in the left Portal Administration pane, you are using a multiple-server environment. If you do not see the Jump to Portal section, then Portal is not running in a multi-server environment and is not affected by this vulnerability. Note: refer to the SupportConnect Security Notice for additional information. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect security notice for this vulnerability: Important Security Notice for CA CleverPath and Embedded Portal Customers http://supportconnectw.ca.com/public/ca_common_docs/cpportal_secnot.asp Solution Document Reference APARs: Refer to the SupportConnect Security Notice. CA Security Advisor posting: CA CleverPath Portal Session Inheritance Vulnerability http://www3.ca.com/securityadvisor/newsinfo/ CAID: 34876 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34876 CVE Reference: CVE-2006-6641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6641 OSVDB Reference: OSVDB-30854 http://osvdb.org/30854 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985
[Full-disclosure] [CAID 34870]: CA Anti-Virus vetfddnt.sys, vetmonnt.sys Local Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CAID 34870: CA Anti-Virus vetfddnt.sys, vetmonnt.sys Local Denial of Service Vulnerabilities CA Vulnerability ID (CAID): 34870 CA Advisory Date: 2006-12-13 Discovered By: Rubén Santamarta (reversemode.com) Impact: Local unprivileged attacker can cause a denial of service. Summary: Multiple instances of improper handling of NULL buffers in CA Anti-Virus allow local attackers to cause a denial of service condition. This issue affects only consumer CA Anti-Virus products. Mitigating Factors: Valid user account is required for successful attack. Severity: CA has given this vulnerability issue a Low risk rating. Affected Products: Consumer Products: CA Anti-Virus 2007 v8.1 CA Anti-Virus for Vista Beta v8.2 CA Internet Security Suite 2007 v3.0 Affected platforms: Microsoft Windows Status and Recommendation: CA has addressed this issue in the GA (Generally Available) software by providing a new automatic update on December 13, 2006. Customers running one of the GA products simply need to ensure that they have allowed this automatic update to take place. For CA Anti-Virus for Vista Beta, this issue will be patched in the GA release of the software. Determining if you are affected: View the HelpAbout screen and confirm that the product version is 8.3.0.1 or above. You can also verify application of the update by confirming that the vetfddnt.sys and vetmonnt.sys driver versions are 8.3.0.1 or above. These files are located in the %windows%\system32\drivers folder. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: N/A CA Consumer Support Security Notice for this vulnerability: Low Risk CA Anti-Virus Vulnerability - Multiple Local Denial of Service http://crm.my-etrust.com/login.asp?username=guesttarget=DOCUMENTopen parameter=2651 Solution Document Reference APARs: N/A CA Security Advisor posting: CA Anti-Virus vetfddnt.sys, vetmonnt.sys Local Denial of Service Vulnerabilities http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=96883 CAID: 34870 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34870 Discoverer: Rubén Santamarta, Reverse Mode http://www.reversemode.com/ http://www.reversemode.com/index.php?option=com_remositoryItemid=2fu nc=fileinfoid=41 CVE Reference: CVE-2006-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6496 OSVDB Reference: OSVDB ID: 30845 http://osvdb.org/30845 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright © 2006 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA+AwUBRYGNUXklkd/ilBmFEQIhkQCgnWsOsaExlP35XlXqJ43AEF25n8IAmM2c qNtUXVYSCMvxzSImOWOP/Zc= =U2Zc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LS-20061001 - Computer Associates BrightStor ARCserve Backup v11.5 Remote Buffer Overflow Vulnerability
[Full-disclosure] LS-20061001 - Computer Associates BrightStor ARCserve Backup v11.5 Remote Buffer Overflow Vulnerability advisories at lssec.com advisories at lssec.com Fri Dec 8 21:40:47 GMT 2006 LS-20061001 [...] Technical details: http://www.lssec.com/advisories.html LSsecurity - LSsec.com CA is aware of this report. We urge customers running BrightStor ARCserve Backup r11.5 to install SP2. Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LS-20060908 - Computer Associates BrightStor ARCserve Backup v11.5 Remote Buffer Overflow Vulnerability
[Full-disclosure] LS-20060908 - Computer Associates BrightStor ARCserve Backup v11.5 Remote Buffer Overflow Vulnerability advisories at lssec.com advisories at lssec.com Fri Dec 8 21:39:31 GMT 2006 LS-20060908 [...] Technical details: http://www.lssec.com/advisories.html LSsecurity - LSsec.com CA is aware of this report. We urge customers running BrightStor ARCserve Backup r11.5 to install SP2. Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34846]: CA BrightStor ARCserve Backup Discovery Service Buffer Overflow Vulnerability
Title: CAID 34846: CA BrightStor ARCserve Backup Discovery Service Buffer Overflow Vulnerability CA Vulnerability ID (CAID): 34846 CA Advisory Date: 2006-12-07 Discovered By: Assurent Secure Technologies (assurent.com) Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains a buffer overflow that allows remote attackers to execute arbitrary code with local SYSTEM privileges on Windows. This issue affects the BrightStor Backup Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. Mitigating Factors: None. Severity: CA has given this vulnerability a High risk rating. Affected Products: BrightStor Products: - BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not have this vulnerability ; please apply r11.5 SP2) - BrightStor ARCserve Backup r11.1 - BrightStor ARCserve Backup for Windows r11 - BrightStor Enterprise Backup 10.5 - BrightStor ARCserve Backup v9.01 CA Protection Suites r2: - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of BrightStor ARCserve Backup products should upgrade to the latest versions which are available for download from http://supportconnect.ca.com. Solution Document Reference APARs: QO84609, QI82917, QO84611, QO84610 Determining if you are affected: For a list of updated files, and instructions on how to verify that the security update was fully applied, please review the Informational Solution referenced in the appropriate Solution Document. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp Solution Document Reference APARs: QO84609, QI82917, QO84611, QO84610 CA Security Advisor Research Blog postings: http://www3.ca.com/blogs/posting.aspx?id=90744pid=96149date=2006/12 CAID: 34846 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34846 Discoverer: Assurent Secure Technologies http://www.assurent.com/ CVE Reference: CVE-2006-6379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6379 OSVDB Reference: OSVDB IDs: 30775 http://osvdb.org/30775 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright © 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34693, 34694]: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities (UPDATED)
Our original fixes for the BrightStor ARCserve Backup vulnerabilities that we publicly disclosed on 2006-10-05 (http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=93775date=2006/10) did not completely resolve one of the vulnerabilities. Consequently, we have released new fixes that need to be applied. Please note that these do not replace the original fixes. Both fixes (each release needs two fixes) need to be applied. A revised advisory can be found below, and at this link. http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=94397date=2006/10 Title: CAID 34693, 34694: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities (UPDATED) CA Vulnerability ID (CAID): 34693, 34694 CA Advisory Date: 2006-10-05 CA Revised Advisory Date: 2006-10-19 Discovered By: TippingPoint, www.zerodayinitiative.com Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains multiple buffer overflow conditions that allow remote attackers to execute arbitrary code with local SYSTEM privileges on Windows. These issues affect the BrightStor Backup Agent Service, the Job Engine Service, and the Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: - BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not have this vulnerability) - BrightStor ARCserve Backup r11.1 - BrightStor ARCserve Backup for Windows r11 - BrightStor Enterprise Backup 10.5 - BrightStor ARCserve Backup v9.01 CA Protection Suites r2: - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of the BrightStor ARCserve Backup products should upgrade to the latest versions which are available for download from http://supportconnect.ca.com. Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858 The original fixes did not completely resolve one of the vulnerabilities. Consequently, an additional fix needs to be applied. Please note that these do not replace the original fixes. Both fixes (each release needs two fixes) need to be applied. Solution Document Reference APARs: QO83306, QO83307, QO83308, QO83309 Determining if you are affected: For a list of updated files, and instructions on how to verify that the security update was fully applied, please review the Informational Solution referenced in the appropriate Solution Document. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup (Buffer Overrun) http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858, QO83306, QO83307, QO83308, QO83309 CA Security Advisor Research Blog postings: http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=93775date=2006/10 http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=94397date=2006/10 CAID: 34693, 34694 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694 Discoverer: TippingPoint http://www.tippingpoint.com/security/advisories/TSRT-06-11.html http://www.tippingpoint.com/security/advisories/TSRT-06-12.html http://www.zerodayinitiative.com/advisories/ZDI-06-030.html http://www.zerodayinitiative.com/advisories/ZDI-06-031.html CVE Reference: CVE-2006-5142, CVE-2006-5143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143 OSVDB References: OSVDB IDs: 29580, 29533, 29534, 29535 http://osvdb.org/29580 http://osvdb.org/29533 http://osvdb.org/29534 http://osvdb.org/29535 Changelog for this advisory: v1.0 - Initial Release v2.0 - Advisory updated: new fixes available that must be installed, IN ADDITION TO the original fixes, to properly resolve all of the vulnerability issues. Fixed incorrect blog link. Added OSVDB references. Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability
[Full-disclosure] [CAID 34693, 34694]: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities
Title: CAID 34693, 34694: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities CA Vulnerability ID (CAID): 34693, 34694 CA Advisory Date: 2006-10-05 Discovered By: TippingPoint, www.zerodayinitiative.com Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains multiple buffer overflow conditions that allow remote attackers to execute arbitrary code with local SYSTEM privileges on Windows. These issues affect the BrightStor Backup Agent Service, the Job Engine Service, and the Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: - BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not have this vulnerability) - BrightStor ARCserve Backup r11.1 - BrightStor ARCserve Backup for Windows r11 - BrightStor Enterprise Backup 10.5 - BrightStor ARCserve Backup v9.01 CA Protection Suites r2: - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of the BrightStor ARCserve Backup products should upgrade to the latest versions which are available for download from http://supportconnect.ca.com. Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858 Determining if you are affected: For a list of updated files, and instructions on how to verify that the security update was fully applied, please review the Informational Solution referenced in the appropriate Solution Document. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup (Buffer Overrun) http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858 CA Security Advisor Research Blog posting: http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=93686 CAID: 34693, 34694 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694 Discoverer: TippingPoint http://www.tippingpoint.com/security/advisories/TSRT-06-11.html http://www.tippingpoint.com/security/advisories/TSRT-06-12.html http://www.zerodayinitiative.com/advisories/ZDI-06-030.html http://www.zerodayinitiative.com/advisories/ZDI-06-031.html CVE Reference: CVE-2006-5142, CVE-2006-5143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143 OSVDB Reference: OSVDB ID: pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright © 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34661]: CA Unicenter WSDM File System Read Access Vulnerability
Title: CAID 34661: CA Unicenter WSDM File System Read Access Vulnerability CA Vulnerability ID (CAID): 34661 CA Advisory Date: 2006-10-03 Discovered By: Oliver Karow, Symantec Security Consultant oliver_karow at symantec dot com Richard Sammet, Symantec Security Consultant richard_sammet at symantec dot com Impact: Remote attacker can access sensitive information. Summary: Unicenter Web Services Distributed Management 3.1 uses a known vulnerable version of Jetty WebServer, an open source java web server. An advisory describing the Jetty WebServer vulnerability can be found at http://www.securityfocus.com/bid/11330. The vulnerability allows a remote attacker to gain full read access on the install partitions file system of the Unicenter WSDM host system through a directory traversal attack [e.g. http://192.168.50.31:8282/..\..\..\..\boot.ini]. Mitigating Factors: This is an older vulnerability that was addressed in December 2004 with the release of Unicenter Web Services Distributed Management (WSDM) 3.11. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA Unicenter Web Services Distributed Management (WSDM) 3.1 Affected platforms: Red Hat Linux Solaris SUSE Linux Microsoft Windows Status and Recommendation: This vulnerability was addressed in December 2004 with the release of Unicenter Web Services Distributed Management (WSDM) 3.11. Customers using Unicenter WSDM 3.1 should upgrade to WSDM 3.11 or later through the CA SupportConnect web site at http://supportconnect.ca.com. Determining if you are affected: The WSDM version in use can be determined by viewing the downloaded package name. Search for files named CAWSDM_3_1.xxx. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for CA Unicenter WSDM (File System Read Access Vulnerability) http://supportconnectw.ca.com/public/ca_common_docs/wsdmvuln_notice.asp CAID: 34661 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34661 Discoverer: Symantec http://www.symantec.com CVE Reference: CVE-2004-2478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2478 OSVDB Reference: OSVDB ID: 10490 http://osvdb.org/10490 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright © 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34616, 34617, 34618]: CA eSCC and eTrust Audit vulnerabilities
Title: CAID 34616, 34617, 34618: CA eTrust Security Command Center and eTrust Audit vulnerabilities CA Vulnerability ID (CAID): 34616, 34617, 34618 CA Advisory Date: 2006-09-20 Discovered By: Patrick Webster of aushack.com Impact: Remote attacker can read/delete files, or potentially execute replay attacks. Summary: CA eTrust Security Command Center (eSCC) and eTrust Audit contain multiple remotely exploitable vulnerabilities. o The first vulnerability allows attackers to discover the web server path on Windows platforms. This vulnerability affects eTrust Security Command Center Server component versions 1.0, r8, r8 SP1 CR1, and r8 SP1 CR2. o The second vulnerability allows attackers to read and delete arbitrary files from the host server with permissions of the service account. This vulnerability affects eTrust Security Command Center Server component versions r8, r8 SP1 CR1, and r8 SP1 CR2. o The third vulnerability allows attackers to potentially execute external replay attacks. To mitigate this vulnerability, users should utilize perimeter firewalls to block access to the event system. This vulnerability affects eTrust Security Command Center Server component versions 1.0, r8, r8 SP1 CR1, and r8 SP1 CR2, and eTrust Audit versions 1.5 and r8. Mitigating Factors: Attacker must have valid authentication credentials to read or delete files, as described in the second vulnerability above. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA eTrust Security Command Center 1.0 CA eTrust Security Command Center r8 CA eTrust Security Command Center r8 SP1 CR1 CA eTrust Security Command Center r8 SP1 CR2 CA eTrust Audit 1.5 CA eTrust Audit r8 Affected platforms: Microsoft Windows Status and Recommendation: Apply the appropriate patch to eTrust Security Command Center to address the first and second vulnerabilities described above. Patch URL (note that URL may wrap): http://supportconnectw.ca.com/public/etrust/etrust_scc/downloads/etrusts cc_updates.asp For the third vulnerability, utilize perimeter firewalls to block access to the event system. Determining if you are affected: Check the registry version key. HKEY_LOCAL_MACHINE\SOFTWARE \ComputerAssociates\eTrust Security Command Center Look for Version key: Version 1.0.15 (eTrust Security Command Center 1.0) Version 8.0.11 (eTrust Security Command Center r8) Version 8.0.25 (eTrust Security Command Center r8 SP1 CR1) Version 8.0.25.8 (eTrust Security Command Center r8 SP1 CR2) References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for these vulnerabilities: http://supportconnectw.ca.com/public/etrust/etrust_scc/infodocs/etrustsc c_notice.asp CAID: 34616, 34617, 34618 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34616 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34617 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34618 Discoverer (Patrick Webster from aushack.com): http://users.tpg.com.au/adsl2dvp/advisories/200608-computerassociates.tx t CVE References: CVE-2006-4899, CVE-2006-4900, CVE-2006-4901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4901 OSVDB References: OSVDB IDs: 29009, 29010, 29011 http://osvdb.org/29009 http://osvdb.org/29010 http://osvdb.org/29011 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CAID 34509 - CA eTrust Antivirus WebScan vulnerabilities
Title: CA eTrust Antivirus WebScan vulnerabilities CA Vulnerability ID (CAID): 34509 CA Advisory Date: 2006-08-03 Discovered By: Matt Murphy of the TippingPoint Security Research Team Impact: Remote attacker can execute arbitrary code. Summary: Ca eTrust Antivirus WebScan is a free, web-based virus scanner that is located at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. CA eTrust Antivirus WebScan v1.1.0.1047 and earlier contains vulnerabilities that can allow a remote attacker to execute arbitrary code or compromise the integrity of the WebScan software. The first vulnerability is due to a failure to properly validate parameters. The second vulnerability is due to a buffer overflow in WebScan. Matt Murphy has identified multiple attack vectors that exploit these vulnerabilities. Mitigating Factors: Exploitation of these vulnerabilities is non-trivial. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA eTrust Antivirus WebScan v1.1.0.1047 and earlier Affected platforms: Internet Explorer 4.0 or above on Microsoft Windows Status and Recommendation: CA eTrust Antivirus WebScan v1.1.0.1048 addresses all of the vulnerabilities. Visit http://www3.ca.com/securityadvisor/virusinfo/scan.aspx and allow Internet Explorer to install the new webscan.cab software. Note that the software is digitally signed by CA. Alternatively, you can simply remove an older, vulnerable object by using one of these two methods: a) Start Internet Explorer, and then select Tools Internet Options General tab. On the General tab, click on the Settings button in the Temporary Internet Files section. On the Settings dialog window, click on the button labeled View Objects and then right-click on the WScanCtl Class object and select the Remove option. b) Open an Explorer window and browse to system\downloaded program files. Then right-click on the WScanCtl Class object and select the Remove option. Determining if you are affected: Browse to the C:\WINDOWS\Downloaded Program Files or C:\WINNT\Downloaded Program Files folder and check the version number of the WScanCtl Class object. If the version number is less than 1,1,0,1048, you need to update the ActiveX control. Another way to determine if you are affected is to Start Internet Explorer, and then select Tools Internet Options General tab. On the General tab, click on the Settings button in the Temporary Internet Files section. On the Settings dialog window, click on the button labeled View Objects and then check the version of the WScanCtl Class object. If the version number is less than 1,1,0,1048, you need to update the ActiveX control. Note that v1.1.0.1045 is the last version that was widely distributed. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CAID: 34509 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 ZDI, founded by 3Com and TippingPoint: http://www.zerodayinitiative.com/ CVE Reference: Pending http://cve.mitre.org/ OSVDB Reference: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CAID 34325 - CA ITM, eAV, ePP scan job description field format string vulnerability
Title: CAID 34325 - CA ITM, eAV, ePP scan job description field format string vulnerability CA Vulnerability ID: 34325 CA Advisory Date: 2006-06-26 Discovered By: Deral Heiland (www.layereddefense.com) Impact: Attackers can cause a denial of service condition or possibly execute arbitrary code. Summary: CA Integrated Threat Management, eTrust Antivirus, and eTrust PestPatrol contain a vulnerability that can allow attackers to cause a denial of service condition or possibly execute arbitrary code. The vulnerability is due to improper processing of format strings in the description field of a scan job. An attacker, who can create a scan job containing format string directives, can potentially overwrite memory to cause a crash or execute arbitrary code. Mitigating Factors: None Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA Integrated Threat Management r8 eTrust Antivirus r8 eTrust PestPatrol Anti-spyware Corporate Edition r8 Status and Recommendation: This vulnerability is addressed in Content Update build 432. Use the content update mechanism to install this update. References: (URLs may wrap) CA SupportConnect: http://supportconnect.ca.com/ Client GUI Vulnerability Content Update - build 432 http://supportconnectw.ca.com/public/eitm/infodocs/etrustitmvuln-content update.asp CAID: 34325 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34325 CVE Reference: CVE-2006-3223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3223 OSVDB Reference: OSVDB-26654 http://osvdb.org/26654 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CAID 34013 - CA Common Services CAIRIM on z/OS LMP SVC vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CAID 34013 - CA Common Services CAIRIM on z/OS LMP SVC vulnerability CA Vulnerability ID: 34013 CA Advisory Date: 2006-05-02 Discovered By: IBM Global Services Impact: Local attacker can gain escalated privileges. Summary: A potential vulnerability issue exists in our CAIRIM LMP solution for z/OS. CAIRIM is delivered as part of CA's z/OS Common Services, and the LMP component provides licensing services to many of CA's z/OS solutions. IBM Global Services discovered an integrity problem, which could be exploited by an expert user of a z/OS system that utilizes CA's CAIRIM LMP component. We worked with IBM Global Services to understand the nature of the problem and to make certain that the remedy we have now provided addresses the problem completely. CA has confirmed the presence of this vulnerability and has developed a corrective update that provides comprehensive protection for our customers. Additional Quality Assurance testing has been completed and an official published solution has been made available as of 2006-05-02. The vulnerability is an integrity exposure associated with the way the CAIRIM LMP SVC operates in conjunction with the legitimate SVC invoking code. An attacker can potentially utilize a problem state program to take advantage of this integrity exposure and obtain supervisor state, key 0. Once the attacker achieves supervisor state, key 0, he could possibly then update any system memory areas he chooses. An attacker can use a carefully crafted program in supervisor state to potentially compromise system security settings and gain unauthorized access to other system related resources. Although recently discovered, this exposure has been present in the CAIRIM LMP code since its inception. Mitigating Factors: Attacker must have (access to) an account on the system. Also, target system must be running CAIRIM LMP on a z/OS platform. Severity: CA has given this vulnerability a Medium risk rating. Affected Technologies: The LMP subcomponent of the CAIRIM v1.0 component in CA Common Services. Affected Products (CA z/OS Solutions that use CAIRIM LMP): CA-11-MVS CA-1-MVS CA-24 X 7 FOR DB2 FOR MVS CA-7/REPORT BALANCING-MVS CA-7/SMART CONSOLE-MVS CA-7-MVS CA-ACF2-MVS CA-ADS/ONLINE-MVS CA-ADVANCED DATA COMPRESSION CA-ADVANTAGE EDBC CLIENT CA-ALLOCATE CA-APAS/INSIGHT FOR MVS CA-APCDDS-MVS CA-ASM2-MVS CA-ASTEX CA-AUTOMATED CONVERSATION LANG CA-BATCH PROCESSOR CA-BIND ANALYZER CA-BUNDL CA-CA-NETMASTER CA-CICSORT-MVS CA-COBOLVISION/ANALYZER-MVS CA-COMPILE CA-COOL:GEN CA-CORP TIE UNATTENDED MODE CA-CORPORATE TIE CA-CREWS FOR MVS CA-CULPRIT CA-DADS/PLUS-MVS CA-DATA BASE CA-DATA COMPRESSOR CA-DATA NAVIGATOR CA-DATA REFLECTOR FOR DB2 CA-DATACOM CA-DATAMACS-MVS CA-DATAQUERY-MVS CA-DB ANALYZER FOR IMS CA-DB COMPRESS FOR IMS CA-DC MONITOR EXTENSIONS CA-DELIVER CA-DETECTOR CA-DISK FOR OS/390 CA-DISPATCH-MVS CA-DL1 ONLINE FOR IMS CA-DUO-MVS CA-DYNAM/TLMS-MVS CA-EARL CA-EASYTRIEVE PLUS CA-EDBC CA-EDP/AUDITOR-MVS CA-ENDEVOR/MVS CA-EXAMINE-MVS CA-EXECUTION FACILITY CA-EXTEND/DASD MVS CA-EZTEST/CICS-MVS CA-FAST CA-FASTDASD CA-FAVER FOR MVS CA-FILE MASTER CA-FILESAVE-MVS CA-FIX/2000 FOR COBOL MVS CA-GOVERNOR FACILITY CA-HIGH PERFORMANCE CA-HYPER-BUF FOR MVS CA-ICMS-MVS CA-IDEAL CA-IDMS-MVS CA-IMPACT/2000 CA-INDEX EXPERT CA-INFO/MASTER CA-INFOREFINER CA-INFOTRANSPORT CA-INSIGHT FOR DB2 CA-INTERTEST-MVS CA-INVENTORY/2000 MVS CA-JARS-MVS CA-JCLCHECK-MVS CA-JOBLOG MANAGEMENT RETRIEV CA-JOBTRAC CA-LIBRARIAN CA-LIBRARY OF ROUTINES CA-LOG ANALYZER CA-LOG COMPRESS CA-LOOK CA-LPD INTERFACE CA-MAILBOX OPTION CA-MASTERCAT MVS CA-MAZDAMON-MVS CA-MERGE/MODIFY CA-MICS CA-MINDOVER-MVS CA-MULTI-IMAGE MANAGE MVS CA-NETMAN-MVS CA-NETMASTER CA-NETSPY NETWORK PERFORMANCE CA-NETWORKIT SOCKETVIEW CA-NEUPERFORMANCE ADVISOR CA-N-VISION VIEW OPTION CA-OBJECT CA-ONLINE QUERY-MVS CA-ONLINEREORG CA-OPERA-MVS CA-OPS\MVS CA-OPTIMIZER CA-PACKAGE/IT CA-PAN/APT CA-PAN/LCM-CONFIG-MGR-MVS CA-PAN/MERGE CA-PAN/SQL (RDBII) FOR MVS CA-PANAUDIT PLUS CA-PANEXEC CA-PANVALET CA-PARTITION EXPERT CA-PASS-THRU PRINTER SUPPORT CA-PDSMAN CA-PLAN ANALYZER CA-PLATINUM REPOSITORY CA-PLEU FOR MVS CA-PMA/CHARGEBACK-MVS CA-POINTER EDITOR FOR IMS CA-PPS FOR XEROX CA-PREVAIL/XP CA-PROAUDIT-MVS CA-PROBUILD-MVS CA-PROEDIT/DB2-MVS CA-PROGRAM MANAGEMENT OPTIMIZE CA-PROOPTIMIZE CA-PROSECURE-MVS CA-QUERY ANALYZER CA-QUICK COPY CA-QUICK-FETCH MVS CA-QUIKSERV FOR VSAM CA-RAMIS MVS CA-RANDOMIZER ANALYSIS PROGRAM CA-RAPID REORG CA-RAPS-MVS CA-RC CA-REALIA II CA-RECOVERY ANALYZER CA-REMOTE CONSOLE CA-REPORT FACILITY CA-REPOSITORY CA-RI CA-ROSCOE-MVS CA-RSVP CA-SCHEDULER-MVS CA-SECONDARY INDEX CA-SHAREOPTION/5-MVS CA-SOLVE EPS-SPOOL CONVER CODE CA-SOLVE:ACCESS CA-SOLVE:CPT CA-SOLVE:FTS CA-SOLVE:LINK FOR DB2 (EDBS) CA-SOLVE:NETMAIL CA-SOLVE:OPERATIONS CA-SOLVE:X.25 CA-SORT-MVS CA-SPACEMAN FOR MVS CA-SPOOL CA-SQL EASE CA-SRAM-MVS CA-SUBSYSTEM ANALYZER CA-SYMDUMP CA-SYSLOG MANAGEMENT
[Full-disclosure] CAID 33581 - CA Message Queuing Denial of Service Vulnerabilities
Title: CAID 33581 - CA Message Queuing Denial of Service Vulnerabilities CA Vulnerability ID: 33581 CA Advisory Date: 2006-02-02 Discovered By: Nicolas Pouvesle of Tenable Network Security Impact: Remote attacker can cause a denial of service condition. Summary: The following two security vulnerability issues have been identified in the CA Message Queuing (CAM / CAFT) software: 1) CAM is vulnerable to a Denial of Service (DoS) attack when a specially crafted message is received on TCP port 4105. 2) CAM is vulnerable to a Denial of Service (DoS) through the spoofing of CAM control messages. Mitigating Factors: None. Severity: CA has given these vulnerabilities a Medium risk rating. Affected Technologies: Please note that the CA Message Queuing (CAM / CAFT) software is not a product, but rather a common component that is included with multiple products. All versions of the CA Message Queuing software prior to v1.07 Build 220_16 and v1.11 Build 29_20 on the specified platforms are affected. The CA Message Queuing software is included in the following CA products, which are consequently potentially vulnerable. Affected Products: Advantage Data Transport 3.0 BrightStor SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1 BrightStor Portal 11.1 CleverPath OLAP 5.1 CleverPath ECM 3.5 CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1 Unicenter Data Transport Option 2.0 Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1 Unicenter TNG 2.1, 2.2, 2.4, 2.4.2 Unicenter TNG JPN 2.2 Affected platforms: AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare and Windows. Platforms NOT affected: AS/400, MVS, NetWare, OS/2 and OpenVMS. Status and Recommendation: (note that URLs below may wrap) CA strongly recommends the application of the appropriate patch listed below. CAM v1.11 prior to Build 29_20 http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_cam 111fixes.asp CAM v1.07 prior to Build 220_16 http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_cam 107fixes.asp CAM v1.05 (any version) http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_cam 107fixes.asp Customers wishing to patch their Master Image CD sets should refer to the solution areas on the product home pages. http://supportconnectw.ca.com/main.asp Frequently Asked Questions (FAQ) related to this security update http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_FAQ .asp For USD/SDO Packages and UAM/AMO Definitions information, please refer to the SupportConnect Security Notice and FAQ. CA Message Queuing Security Notice http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_not ice.asp Determining CAM versions: Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory. The example below indicates that CAM version 1.11 build 27 increment 2 is running. E:\camstat CAM - machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16 Determining the CAM install directory: Windows: the install location is specified by the %CAI_MSQ% environment variable Unix/Linux/Mac: the /etc/catngcampath text file holds the CAM install location References: (note that URLs may wrap) CA SupportConnect: http://supportconnect.ca.com/ CA Message Queuing Security Notice http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_not ice.asp CAM / CAFT Security Notice Frequently Asked Questions http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_FAQ .asp CAID: 33581 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33581 CVE Reference: Pending http://cve.mitre.org/ OSVDB Reference: OSVDB-21146 http://osvdb.org/21146 OSVDB-21147 http://osvdb.org/21147 Changelog: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL:
[Full-disclosure] CAID 33778 - CA iGateway Content-Length Buffer Overflow Vulnerability [v1.1]
Please see below for important changes to CAID 33778. Changelog is near end of advisory. Regards, Ken Williams Title: CAID 33778 - CA iGateway Content-Length Buffer Overflow Vulnerability [v1.1] CA Vulnerability ID: 33778 CA Advisory Date: 2006-01-23 Updated Advisory [v1.1]: 2006-01-26 Discovered By: Erika Mendoza reported this issue to iDefense. Impact: Remote attacker can execute arbitrary code with SYSTEM privileges. Summary: The CA iGateway common component, which is included with several CA products for UNIX/Linux/Windows platforms, contains a buffer overflow vulnerability that can allow arbitrary code to be executed remotely with SYSTEM privileges on Windows, and cause iGateway component failure on UNIX and Linux platforms. Mitigating Factors: None. Severity: CA has given this vulnerability a Medium risk rating. Affected Technologies: Please note that the iGateway component is not a product, but rather a common component that is included with multiple products. The iGateway component is included in the following CA products, which are consequently potentially vulnerable. Note that iGateway component versions older than 4.0.051230 are vulnerable to this issue. Affected Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup 10.5 BrightStor ARCserve Backup v9.01 BrightStor ARCserve Backup Laptop Desktop r11.1 BrightStor ARCserve Backup Laptop Desktop r11 BrightStor Process Automation Manager r11.1 BrightStor SAN Manager r11.1 BrightStor SAN Manager r11.5 BrightStor Storage Resource Manager r11.5 BrightStor Storage Resource Manager r11.1 BrightStor Storage Resource Manager 6.4 BrightStor Storage Resource Manager 6.3 BrightStor Portal 11.1 Note to BrightStor Storage Resource Manager and BrightStor Portal users: In addition to the application servers where these products are installed, all hosts that have iSponsors deployed to them for managing applications like Veritas Volume Manager and Tivoli TSM are also affected by this vulnerability. eTrust Products: eTrust Audit 1.5 SP2 (iRecorders and ARIES) eTrust Audit 1.5 SP3 (iRecorders and ARIES) eTrust Audit 8.0 (iRecorders and ARIES) eTrust Admin 8.1 eTrust Identity Minder 8.0 eTrust Secure Content Manager (SCM) R8 eTrust Integrated Threat Management (ITM) R8 eTrust Directory, R8.1 (Web Components Only) Unicenter Products: Unicenter CA Web Services Distributed Management R11 Unicenter AutoSys JM R11 Unicenter Management for WebLogic / Management for WebSphere R11 Unicenter Service Delivery R11 Unicenter Service Level Management (USLM) R11 Unicenter Application Performance Monitor R11 Unicenter Service Desk R11 Unicenter Service Desk Knowledge Tools R11 Unicenter Asset Portfolio Management R11 Unicenter Service Metric Analysis R11 Unicenter Service Catalog/Assure/Accounting R11 Unicenter MQ Management R11 Unicenter Application Server Management R11 Unicenter Web Server Management R11 Unicenter Exchange Management R11 Affected platforms: AIX, HP-UX, Linux Intel, Solaris, and Windows Status and Recommendation: Customers with vulnerable versions of the iGateway component should upgrade to the current version of iGateway (4.0.051230 or later), which is available for download from the following locations: http://supportconnect.ca.com/ ftp://ftp.ca.com/pub/iTech/downloads/ Determining the version of iGateway: To determine the version numbers of the iGateway components: Go to the igateway directory: On windows, this is %IGW_LOC% Default path for v3.*: C:\Program Files\CA\igateway Default path for v4.*: C:\Program Files\CA\SharedComponents\iTechnology On unix, Default path for v3.*: /opt/CA/igateway Default path for v4.*: the install directory path is contained in opt/CA/SharedComponents/iTechnology.location. The default path is /opt/CA/SharedComponents/iTechnology Look at the Version element in igateway.conf. The versions are affected by this vulnerability if you see a value LESS THAN the following: Version4.0.051230/Version (note the format of v.s.YYMMDD) References: (note that URLs may wrap) CA SupportConnect: http://supportconnect.ca.com/ http://supportconnectw.ca.com/public/ca_common_docs/igatewaysecurity_not ice.asp CAID: 33778 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778 CVE Reference: CVE-2005-3653 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3653 OSVDB Reference: OSVDB-22688 http://osvdb.org/22688 iDefense Reference: Computer Associates iTechnology iGateway Service Content-Length Buffer Overflow http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376 Changelog: v1.0 - Initial Release v1.1 - Removed several unaffected technologies; added more reference links. Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this
[Full-disclosure] CAID 33778 - CA iGateway Content-Length Buffer Overflow Vulnerability
Title: CAID 33778 - CA iGateway Content-Length Buffer Overflow Vulnerability CA Vulnerability ID: 33778 CA Advisory Date: 2006-01-23 Discovered By: Erika Mendoza reported this issue to iDefense. Impact: Remote attacker can execute arbitrary code with SYSTEM privileges. Summary: The CA iGateway common component, which is included with several CA products for UNIX/Linux/Windows platforms, contains a buffer overflow vulnerability that can allow arbitrary code to be executed remotely with SYSTEM privileges on Windows, and cause iGateway component failure on UNIX and Linux platforms. Mitigating Factors: None. Severity: CA has given this vulnerability a Medium risk rating. Affected Technologies: Please note that the iGateway component is not a product, but rather a common component that is included with multiple products. The iGateway component is included in the following CA products, which are consequently potentially vulnerable. Note that iGateway component versions older than 4.0.051230 are vulnerable to this issue. Affected Products: Business Services Optimization (BSO) Products: Advantage Data Transformer (ADT) R2.2 Harvest Change Manager R7.1 BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup 10.5 BrightStor ARCserve Backup v9.01 BrightStor ARCserve Backup Laptop Desktop r11.1 BrightStor ARCserve Backup Laptop Desktop r11 BrightStor Process Automation Manager r11.1 BrightStor SAN Manager r11.1 BrightStor SAN Manager r11.5 BrightStor Storage Resource Manager r11.5 BrightStor Storage Resource Manager r11.1 BrightStor Storage Resource Manager 6.4 BrightStor Storage Resource Manager 6.3 BrightStor Portal 11.1 Note to BrightStor Storage Resource Manager and BrightStor Portal users: In addition to the application servers where these products are installed, all hosts that have iSponsors deployed to them for managing applications like Veritas Volume Manager and Tivoli TSM are also affected by this vulnerability. eTrust Products: eTrust Audit 1.5 SP2 (iRecorders and ARIES) eTrust Audit 1.5 SP3 (iRecorders and ARIES) eTrust Audit 8.0 (iRecorders and ARIES) eTrust Admin 8.1 eTrust Identity Minder 8.0 eTrust Secure Content Manager (SCM) R8 eTrust Integrated Threat Management (ITM) R8 eTrust Directory R8.1 (Web Components Only) Unicenter Products: Unicenter CA Web Services Distributed Management R11 Unicenter AutoSys JM R11 Unicenter Management for WebLogic / Management for WebSphere R11 Unicenter Service Delivery R11 Unicenter Service Level Management (USLM) R11 Unicenter Application Performance Monitor R11 Unicenter Service Desk R11 Unicenter Service Desk Knowledge Tools R11 Unicenter Service Fulfillment 2.2 Unicenter Service Fulfillment R11 Unicenter Asset Portfolio Management R11 Unicenter Service Matrix Analysis R11 Unicenter Service Catalog/Fulfillment/Accounting R11 Unicetner MQ Management R11 Unicenter Application Server Managmenr R11 Unicenter Web Server Management R11 Unicenter Exchange Management R11 Affected platforms: AIX, HP-UX, Linux Intel, Solaris, and Windows Status and Recommendation: Customers with vulnerable versions of the iGateway component should upgrade to the current version of iGateway (4.0.051230 or later), which is available for download from the following locations: http://supportconnect.ca.com/ ftp://ftp.ca.com/pub/iTech/downloads/ Determining the version of iGateway: To determine the version numbers of the iGateway components: Go to the igateway directory: On windows, this is %IGW_LOC% Default path for v3.*: C:\Program Files\CA\igateway Default path for v4.*: C:\Program Files\CA\SharedComponents\iTechnology On unix, Default path for v3.*: /opt/CA/igateway Default path for v4.*: the install directory path is contained in opt/CA/SharedComponents/iTechnology.location. The default path is /opt/CA/SharedComponents/iTechnology Look at the Version element in igateway.conf. The versions are affected by this vulnerability if you see a value LESS THAN the following: Version4.0.051230/Version (note the format of v.s.YYMMDD) References: CA SupportConnect: http://supportconnect.ca.com/ CAID: 33778 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778 CVE Reference: CVE-2005-3653 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3653 OSVDB Reference: OSVDB-22688 http://osvdb.org/22688 iDefense Reference: http://www.idefense.com/intelligence/vulnerabilities/ Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL:
[Full-disclosure] CAID 33756 - DM Deployment Common Component Vulnerabilities
Title: CAID 33756 - DM Deployment Common Component Vulnerabilities CA Vulnerability ID: 33756 Discovery Date: 2005-12-20 CA Advisory Date: 2006-01-17 Discovered By: Cengiz Aykanat (CA internal audit), and Karma[at]DesignFolks[dot]com[dot]au. Impact: Remote attacker can cause a denial of service condition. Summary: The following security vulnerability issues have been identified in the DM Primer part of the DM Deployment Common Component being distributed with some CA products: 1) A Denial of Service (DoS) vulnerability has been identified in the handling of unrecognized network messages, which may result in high CPU utilization and excessive growth of the DM Primer log file. 2) A Denial of Service (DoS) vulnerability has been identified with the way in which DM Primer handles receipt of large rogue network messages, which can result in DM Primer becoming unresponsive. Severity: Computer Associates has given this vulnerability a Medium risk rating. Mitigating Factors: These vulnerabilities will only be present if you have utilized the DM Deployment mechanism (bundled with the affected products) to deploy those products within your enterprise environment. Affected Technologies: Please note that the DM Primer component is not a product, but rather a common component that is included with multiple products. Vulnerable versions of the DM Primer component are included in the CA products listed in the Affected Products section below. DM Primer component versions v1.4.154 and v1.4.155 are vulnerable to these issues. These vulnerabilities are not present in DM Primer v11.0 or later. Affected Products: - BrightStor Mobile Backup r4.0 - BrightStor ARCserve Backup for Laptops Desktops r11.0, r11.1, r11.1 SP1 - Unicenter Remote Control 6.0, 6.0 SP1 - CA Desktop Protection Suite r2 - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 - CA Business Protection Suite for Midsize Business for Windows r2 Affected platforms: Windows Platforms NOT affected: This version of DM Primer is not supported on any other platforms. Status and Recommendation: Since this version of DM Primer is only utilized for the initial installation of the products, the above vulnerabilities can be addressed by simply removing the DM Primer Service after deployment. To remove the DM Primer component follow the instructions below: dmprimer remove -f: will force the removal of a local DM Primer service, dmsweep -a1:remotecomp -dp:force will force the removal of the DM Primer service from a remote computer called remotecomp. The dmsweep command will be available on the DM Deployment machine (usually the host for the product manager with which it was bundled). It can take a machine name, an ip address, or a range of ip addresses. Some examples are: dmsweep -a1:192.168.0.* -dp:force will forcibly remove DM Primer from all machines on the 192.168.0.* subnet dmsweep -a1:192.168.0.1 -a2:192.168.0.100 -dp:force will forcibly remove DM Primer from all machines in the range 192.168.0.1-192.168.0.100 dmsweep -a1:192.168.0.1 -a2:192.168.0.100 -dp:force will forcibly remove DM Primer from all machines in the range 192.168.0.1-192.168.0.100 Please refer to the FAQ for answers to commonly asked questions. http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity-faq s.asp References: (note that URLs may wrap) DM Deployment Common Component Security Notice http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_not ice.asp Frequently Asked Questions (FAQ) related to this security update http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity-faq s.asp CA Security Advisor site advisory http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 CVE Reference: Pending http://cve.mitre.org OSVDB Reference: Pending http://osvdb.org Error Handling in DM Primer http://www.designfolks.com.au/karma/DMPrimer/ Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Dir. Vuln Research CA Vulnerability Research Team CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://ca.com/calegal.htm Privacy Policy http://www.ca.com/caprivacy.htm Copyright 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
Subject: Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte From: Andrey Bayora andrey () securityelf ! org Date: 2005-10-25 3:07:51 [...] VULNERABLE vendors and software (tested): [...] 3. eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229) [...] DESCRIPTION: The problem exists in the scanning engine - in the routine that determines the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected. Andrey, Thank you for the report. You are effectively altering existing viruses to the point that AV scanners do not detect them. If your altered virus sample still executes correctly, you have simply created a new virus variant. If your altered virus sample does not execute properly, you have created nothing more than a corrupt virus sample. Consequently, the issue that you describe is *not* a vulnerability issue, but rather just an example of a new variant that has not yet been added to an AV vendor's database of known viruses. Note that CA eTrust Antivirus, when running in Reviewer mode, should already detect these new variants. Regards, Ken Ken Williams ; Dir. Vuln Research Computer Associates ; 0xE2941985 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: CAID 33485 - Computer Associates iGateway debug mode HTTP GET request buffer overflow vulnerability
Advisory has been updated to announce availability of iGateway updates for all platforms. Title: Computer Associates iGateway debug mode HTTP GET request buffer overflow vulnerability (v1.1) CA Vulnerability ID: 33485 Discovery Date: 2005-10-06 CA Advisory Date v1.0: 2005-10-14 (initial release) CA Advisory Date v1.1: 2005-10-19 (iGateway updates available) Discovered By: EMendoza Impact: Remote attacker can execute arbitrary code with SYSTEM privileges. Summary: The Computer Associates iGateway common component, which is included with several CA products for UNIX/Linux/Windows platforms, contains a buffer overflow vulnerability that could allow remote attackers to execute arbitrary code on Windows platforms, or cause iGateway component failure (denial of service) on UNIX and Linux. The vulnerability is due to improper bounds checking on HTTP GET requests by the iGateway component when debug mode is enabled. Mitigating Factors: The potential for exploitation of this vulnerability is very low for the following reasons. 1) A non-standard install of the iGateway component is required to expose this vulnerability. Typically, the embedded iGateway component is part of a non-interactive installation process. Consequently, most systems (those that utilize the default installation procedure) are not at risk. 2) If a non-standard install WAS performed, the iGateway component is still unlikely to be vulnerable to this exploit, because the flaw is only exposed if the component has been manually configured to run with diagnostic debug tracing enabled. Configuring the component to run in debug mode requires administrative access to configuration files that reside on the machine, and also requires that the iGateway service be stopped and restarted by someone with administrative service privileges. Configuring the iGateway service to operate in debug mode is typically performed only at the direction of Computer Associates support personnel who are working with a customer to troubleshoot potential support issues. Severity: Computer Associates has given this vulnerability a Medium risk rating. Affected Technologies: Please note that the iGateway component is not a product, but rather a component that is included with multiple products. The iGateway component is included in the following Computer Associates products, which are consequently potentially vulnerable. Note that iGateway component versions less than 4.0.050615 are vulnerable to this issue. Business Services Optimization (BSO) Products: Advantage Data Transformer (ADT) R2.2 Harvest Change Manager R7.1 BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup 10.5 BrightStor ARCserve Backup v9.01 BrightStor ARCserve Backup Laptop Desktop r11.1 BrightStor ARCserve Backup Laptop Desktop r11 BrightStor Process Automation Manager r11.1 BrightStor SAN Manager r11.1 BrightStor SAN Manager r11.5 BrightStor Storage Resource Manager r11.5 BrightStor Storage Resource Manager r11.1 BrightStor Storage Resource Manager 6.4 BrightStor Storage Resource Manager 6.3 BrightStor Portal 11.1 Note to BrightStor Storage Resource Manager and BrightStor Portal users: In addition to the application servers where these products are installed, all hosts that have iSponsors deployed to them for managing applications like Veritas Volume Manager and Tivoli TSM are also affected by this vulnerability. eTrust Products: eTrust Audit 1.5 SP2 (iRecorders and ARIES) eTrust Audit 1.5 SP3 (iRecorders and ARIES) eTrust Audit 8.0 (iRecorders and ARIES) eTrust Admin 8.0 eTrust Admin 8.1 eTrust Identity Minder 8.0 eTrust Secure Content Manager (SCM) R8 eTrust Web Service Security R8 eTrust Integrated Threat Management (ITM) R8 Unicenter Products: Unicenter CA Web Services Distributed Management R11 Unicenter AutoSys JM R11 Unicenter Management for WebLogic / Management for WebSphere R11 Unicenter Service Delivery R11 Unicenter Service Level Management (USLM) R11 Unicenter Application Performance Monitor R11 Unicenter Service Desk R11 Unicenter Service Desk Knowledge Tools R11 Unicenter Service Fulfillment 2.2 Unicenter Service Fulfillment R11 Unicenter Asset Portfolio Management R11 Unicenter Service Matrix Analysis R11 Unicenter Service Catalog/Fulfillment/Accounting R11 Unicetner MQ Management R11 Unicenter Application Server Managmenr R11 Unicenter Web Server Management R11 Unicenter Exchange Management R11 Status and Recommendation: iGateway updates that address this vulnerability are available for all affected platforms (Win32, Sun, AIX, HP-UX, Linux). Download the appropriate update(s), dated 10/17/2005 or later, at the link below. ftp://ftp.ca.com/pub/iTech/downloads/ If you cannot install the update at this time, then we strongly recommend that you utilize the procedural solution below. As an immediate and completely effective
Re: [Full-disclosure] NUL Character Evasion
List: full-disclosure Subject:Re: [Full-disclosure] NUL Character Evasion From: fd () ew ! nsci ! us Date: 2005-09-15 19:57:30 On Thu, 15 Sep 2005, Williams, James K wrote: List: full-disclosure Subject:[Full-disclosure] NUL Character Evasion From: ju () heisec ! de Date: 2005-09-13 21:24:42 Thank you for the report. Computer Associates is currently investigating the issue (as it relates to CA products). Regards, kw Ken, How long until this update hits your product? -Eric -- Eric Wheeler As initially suspected, from the AV signature perspective, this is not a critical issue until and unless something specific shows up in the wild or is reported to a vendor. The NUL char insertion concept is similar in theory to, for example, K2's classic ADMmutate[1] polymorphic shellcode engine for NIDS evasion, or simply adding NOPs to an executable. Alex and Neel[2] discussed this class of AV vulns at core05 and Blackhat. Regards, kw [1] http://www.ktwo.ca/security.html [2] http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-wheeler.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NUL Character Evasion
List: full-disclosure Subject:[Full-disclosure] NUL Character Evasion From: ju () heisec ! de Date: 2005-09-13 21:24:42 The Problem: Internet Explorer ignores NUL characters -- i.e. ascii characters with the value 0x00 -- most security software does not. This behaviour of IE does not depend on the charset in the Content-Type-Header. [...] eTrust-VETHTML.MHTMLRedir!exploit [...] -- Juergen Schmidt editor in chiefheise Security www.heisec.de Heise Zeitschriften Verlag,Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail [EMAIL PROTECTED] GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 Juergen, Thank you for the report. Computer Associates is currently investigating the issue (as it relates to CA products). Regards, kw Ken Williams ; Dir. Vuln Research Computer Associates ; 0xE2941985 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 32919 - Computer Associates Message Queuing (CAM/CAFT) multiple vulnerabilities
Title: 32919 - Computer Associates Message Queuing (CAM/CAFT) multiple vulnerabilities CA Vulnerability ID: CAID 32919 Disclosure Date: 2005-08-19 Discovered By: CA internal audit Impact: Remote attackers can execute arbitrary code, or cause a denial of service condition. Summary: During a recent internal audit, CA discovered several vulnerability issues in the CA Message Queuing (CAM / CAFT) software. 1) Attackers can potentially exploit a CAM TCP port vulnerability to execute a Denial of Service (DoS) attack. 2) Attackers can potentially exploit multiple buffer overflow conditions to execute arbitrary code remotely with elevated privileges. 3) Attackers can potentially launch a spoofed CAFT attack, and execute arbitrary commands with elevated privileges. CA has made patches available for all affected users. These vulnerabilities affect all versions of the CA Message Queuing software prior to v1.07 Build 220_13 and v1.11 Build 29_13 on the platforms specified below. Severity: Computer Associates has given this vulnerability a High risk rating. Determining CAM versions: Simply running camstat will return the version information in the top line of the output on any platform. The camstat program is located in the bin subfolder of the installation directory. The example below indicates that CAM version 1.11 build 27 increment 2 is running. E:\camstat CAM - machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16 Determining the CAM install directory: Windows: the install location is specified by the %CAI_MSQ% environment variable. Unix/Linux/Mac: the /etc/catngcampath text file holds the CAM install location. Affected products: Unicenter Performance Management for OpenVMS r2.4 SP3 AdviseIT 2.4 Advantage Data Transport 3.0 BrightStor SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1 BrightStor Portal 11.1 CleverPath OLAP 5.1 CleverPath ECM 3.5 CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1 Unicenter Data Transport Option 2.0 Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1 Unicenter TNG 2.1, 2.2, 2.4, 2.4.2 Unicenter TNG JPN 2.2 Affected platforms: AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare, Windows, Apple Mac, AS/400, MVS, NetWare, OS/2, and OpenVMS. Status: Patches that completely remediate this vulnerability issue are available for all affected products. Recommendation (note that URLs may wrap): CA strongly recommends application of the appropriate patch(es). Fixes for CAM v1.11 prior to Build 29_13: http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_cam111fi xes.asp Windows QO71014 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7101 4 AIX QO71015 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7101 5 HPUX QO71016 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7101 6 Linux QO71019 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7101 9 QO71020 (RPM_i386) http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 0 QO71021 (RPM_ia64) http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 1 LinuxS390 QO71031 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7103 1 MacOSX QO71022 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 2 NetWare QO71023 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 3 OSF1 QO71024 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 4 SCO QO71025 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 5 Solaris QO71026 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 6 SolarisIntel QO71027 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7102 7 Fixes for CAM v1.07 prior to Build 220_13 and Fixes for CAM v1.05 (any version): http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_cam107fi xes.asp Windows QO71033 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7103 3 AIX QO71035 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7103 5 AS/400 On Request http://supportconnect.ca.com DGIntel QO71036 http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7103 6 DGM88K QO71037
[Full-disclosure] RE: CAID 33239 - Computer Associates BrightStor ARCserve/Enterprise Backup Agents buffer overflow vulnerability
On August 02, 2005, CA released patches to address a buffer overflow vulnerability in some of the BrightStor ARCserve Backup and BrightStor Enterprise Backup for Windows application agents. The patch for BrightStor ARCserve Backup r11.1 Agent for SQL for Windows (QO70767) did not fully remediate the vulnerability. This patch has now been superseded. Users should apply the new patch immediately. If you are running BrightStor ARCserve Backup r11.1 Agent for SQL for Windows, please apply the updated patch for BrightStor ARCserve Backup for Windows (QO71010) by downloading it from the location listed below. BrightStor ARCserve Backup r11.1 for Windows (URL may wrap): http://supportconnect.ca.com/sc/redir.jsp?reqPage=searchsearchID=QO7101 0 References: CA Security Advisor site http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239 E-News: BrightStor Storage Newsletter v05.11 August 2nd, 2005 http://supportconnectw.ca.com/public/enews/BrightStor/brig080205.asp Should you require additional information, please contact CA Technical Support at http://supportconnect.ca.com. Respectfully, Ken Williams ; Dir. Vuln Research Computer Associates ; 0xE2941985 Computer Associates International, Inc. (CA). One Computer Associates Plaza. Islandia, NY 11749 Contact Us http://ca.com/catalk.htm Legal Notice http://ca.com/calegal.htm Privacy Policy http://ca.com Copyright 2005 Computer Associates International, Inc. All rights reserved -Original Message- From: Williams, James K Sent: Tuesday, August 02, 2005 2:10 PM To: 'full-disclosure@lists.grok.org.uk' Subject: CAID 33239 - Computer Associates BrightStor ARCserve/Enterprise Backup Agents buffer overflow vulnerability Title: Computer Associates BrightStor ARCserve/Enterprise Backup Agents buffer overflow vulnerability CA Vulnerability ID: 33239 Discovery Date: 2005-04-25 Disclosure Date: 2005-08-02 Discovered By: iDEFENSE Impact: A remote attacker can execute arbitrary code with SYSTEM privileges. Summary: Computer Associates BrightStor ARCserve Backup and BrightStor Enterprise Backup Agents for Windows contain a stack-based buffer overflow vulnerability. The vulnerability may allow remote attackers to execute arbitrary code with SYSTEM privileges, or cause a denial of service condition. The buffer overflow is the result of improper bounds checking performed on data sent to port 6070. Severity: Computer Associates has given this vulnerability a High risk rating. Affected Technologies: This vulnerability exists in the following BrightStor ARCserve Backup and BrightStor Enterprise Backup application agents: BrightStor ARCserve Backup r11.1: - BrightStor ARCserve Backup r11.1 Agent for SQL for Windows - BrightStor ARCserve Backup r11.1 Agent for Oracle for Windows - BrightStor ARCserve Backup r11.1 Agent for SAP R/3 for Windows - BrightStor ARCserve Backup r11.1 Agent for Microsoft Exchange Premium Add-on for Windows BrightStor ARCserve Backup r11.0: - BrightStor ARCserve Backup Release 11 Agent for SQL for Windows - BrightStor ARCserve Backup Release 11 Agent for Oracle for Windows - BrightStor ARCserve Backup Release 11 Agent for SAP R/3 for Windows - BrightStor ARCserve Backup Release 11 Agent for Microsoft Exchange Premium Add-on for Windows BrightStor ARCserve Backup v9.01 - BrightStor ARCserve Backup Version 9 Agent for SQL for Windows - BrightStor ARCserve Backup Version 9 Agent for Oracle for Windows - BrightStor ARCserve Backup Version 9 Agent for SAP R/3 for Windows BrightStor Enterprise Backup 10.5 - BrightStor Enterprise Backup v10.5 Agent for SQL for Windows - BrightStor Enterprise Backup v10.5 Agent for Oracle for Windows - BrightStor Enterprise Backup v10.5 Serverless Backup Agent for Oracle for Windows - BrightStor Enterprise Backup v10.5 Agent for Oracle for EMC Timefinder for Windows - BrightStor Enterprise Backup v10.5 Agent for SAP R/3 for NT/2000 BrightStor Enterprise Backup 10 - BrightStor Enterprise Backup Agent for SQL for Windows - BrightStor Enterprise Backup Agent for Oracle for Windows - BrightStor Enterprise Backup Agent for SAP R/3 for Oracle and SQL on Windows - BrightStor Enterprise Backup Agent for Oracle for EMC Timefinder for Windows - BrightStor Enterprise Backup Serverless Backup Agent for Oracle for Windows Status: Security updates that completely remediate this vulnerability issue are available for all affected products. Recommendation (note that URLs may wrap): Apply the appropriate security update(s). BrightStor ARCserve Backup r11.1 for Windows: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparn o=QO70767startsearch=1 BrightStor ARCserve Backup r11.0 for Windows: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparn o=QO70769startsearch=1
[Full-disclosure] Re: SiteMinder Multiple Vulnerabilities
List: full-disclosure Subject:[Full-disclosure] SiteMinder Multiple Vulnerabilities From: c0ntexb () gmail ! com Date: 2005-07-08 14:08:53 Message-ID: df8ba96d050708070869551019 () mail ! gmail ! com $ An open security advisory #10 - Siteminder v5.5 Vulnerabilities [...] I have contacted Netegrity via ca.com multiple times but received no response, as such, users should use a filtering technology like modsecurity to detect the above descibed attacks until a fix has been released. Note that vulnerabilities can be reported to CA by a) sending email to [EMAIL PROTECTED], or b) submitting via a web form at http://www3.ca.com/securityadvisor/vulninfo/submit.aspx . The form can be found by clicking on the Submit a Vulnerability link at http://www3.ca.com/securityadvisor/ . This information is documented in the Vendor Dictionary at OSVDB. Regards, kw Ken Williams ; Vulnerability Research Computer Associates ; 0xE2941985 A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SiteMinder Multiple Vulnerabilities (solution)
List: full-disclosure Subject:SiteMinder Multiple Vulnerabilities From: c0ntex c0ntexb () gmail ! com Date: 2005-07-08 14:08:53 $ An open security advisory #10 - Siteminder v5.5 Vulnerabilities [...] This issue is NOT present in out-of-the-box installations of SiteMinder. All supported versions of SiteMinder have an agent configuration parameter called CSSChecking that is, by default, set to YES. A SiteMinder administrator would have to intentionally set this parameter to NO to become vulnerable to this issue. The CSSChecking configuration parameter has been very well documented in SiteMinder product documentation since 2001. This issue is also documented and addressed in a security advisory posted in October 2002 at this URL: (URL may wrap) https://support.netegrity.com/ocp/custom/productdownload/productdownload .asp?isNodeGroup=nullProductNumber=735ParentId=493groupType=249 Note that SiteMinder customers should continue to go to support.netegrity.com for product support. Regards, kw Ken Williams ; Vulnerability Research Computer Associates ; 0xE2941985 A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability
CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability CA Vulnerability ID: 32896 Discovery Date: 2005/04/26 Discovered By: Alex Wheeler Title: Computer Associates Vet Antivirus engine heap overflow vulnerability Impact: Remote attackers can gain privileged access. Summary: Computer Associates has patched a high risk vulnerability that was identified by Alex Wheeler. The vulnerability affects computers leveraging our eTrust(TM) Vet Antivirus engine, and can allow an attacker to gain control of a computer through a specially crafted Microsoft Office document. Severity: Computer Associates has given this vulnerability a High risk rating. The Vet Antivirus Engine is included in drivers, system services to automatically scan any files that the computer may access. These software components have privileged access to the local computer and are started by default by our Antivirus software installation. In the worst case scenario, a remote attacker may present a specially crafted Microsoft Office document to a vulnerable computer for virus scanning and gain control of the computer without any user interaction. Affected corporate products: CA InoculateIT 6.0 (all platforms, including Notes/Exchange) eTrust Antivirus r6.0 (all platforms, including Notes/Exchange) eTrust Antivirus r7.0 (all platforms, including Notes/Exchange) eTrust Antivirus r7.1 (all platforms, including Notes/Exchange) eTrust Antivirus for the Gateway r7.0 (all modules and platforms) eTrust Antivirus for the Gateway r7.1 (all modules and platforms) eTrust Secure Content Manager (all releases) eTrust Intrusion Detection (all releases) BrightStor ARCserve Backup (BAB) r11.1 Windows Affected retail products: eTrust EZ Antivirus r6.2 - r7.0.5 eTrust EZ Armor r1.0 - r2.4.4 eTrust EZ Armor LE r2.0 - r3.0.0.14 Vet Antivirus r10.66 and below Status: All Computer Associates corporate products and some of our retail products that utilize the Vet Antivirus Engine have the ability to patch this vulnerability automatically. For these products, the patch for this vulnerability was already rolled out as part of the daily Vet Signature updates on May 3, 2005, and no further action is required. Recommendation: To make sure your system is protected, please review the solutions below for your specific product version. * All corporate products - You are protected if you are running Vet engine 11.9.1 or later. If running an earlier version, perform a virus signature file update as soon as possible to receive the patch. * eTrust EZ Antivirus r7/eTrust EZ Armor r3.1 Users - You may already be up-to-date. A new Vet engine was made available on Tuesday, May 3rd. Automatic signature file updates should have downloaded this update to your system. To verify the update, please follow the instructions below: Open eTrust EZ Antivirus (double-click on the AV icon in your system tray), then select the Help tab on the top-right of the screen. The engine version should be listed as 11.9.1 or later. If it is a lower number, perform a virus signature file update [1] immediately to receive the patch. * eTrust EZ Antivirus r6.x Users - Upgrade to eTrust EZ Antivirus r7 as soon as possible. It takes approximately 10 minutes to complete this process on a high-speed connection, and all users with an active license are entitled to this upgrade for free. Follow the link below to upgrade now. http://consumerdownloads.ca.com/myeTrust/apps/EZAntivirus.exe - For additional upgrade instructions, click on the appropriate link below: - Upgrading from r6.1 and above [2] - Upgrading from r6.0 and earlier [3] Unsure of your product version? Follow the link in footnote [4]. * eTrust EZ Armor r3 Users - An update will be pushed down to your computer. During a virus signature file update, a patch will be downloaded to your computer. The patch will require that you reboot your computer for it to take effect. We recommend that you reboot right away. * eTrust EZ Armor r2.4.4 and below Users - Upgrade to eTrust EZ Armor r3.1 as soon as possible. It takes approximately 10 minutes to complete this process on a high-speed connection and all users with an active license are entitled to this upgrade for free. Follow the link below to upgrade now. http://consumerdownloads.ca.com/myeTrust/apps/EZArmor.exe Unsure of your product version? Follow the link in footnote [4]. CVE Reference: Pending OSVDB Reference: Pending Advisory URLs (note that URLs below may wrap): General: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896 Consumer: http://crm.my-etrust.com/login.asp?username=guesttarget=DOCUMENTopenpa rameter=1588 [1] http://crm.my-etrust.com/login.asp?username=guesttarget=DOCUMENTopenpa rameter=61 [2]
