BugTraq
[CAID 35690, 35691, 35692]: CA BrightStor Hierarchical Storage Manager CsAgent Multiple Vulnerabilities Sep 27 2007 02:37AM
Williams, James K (James Williams ca com)


Title: [CAID 35690, 35691, 35692]: CA BrightStor Hierarchical

Storage Manager CsAgent Multiple Vulnerabilities

CA Vuln ID (CAID): 35690, 35691, 35692

CA Advisory Date: 2007-09-26

Reported By: Sean Larsson, iDefense Labs

anonymous researcher working with the iDefense VCP

Aaron Portnoy of DV Labs (dvlabs.tippingpoint.com)

Impact: A remote attacker can execute arbitrary code or cause a

denial of service condition.

Summary: Multiple vulnerabilities exist in the CsAgent service

that can allow a remote attacker to execute arbitrary code or

cause a denial of service condition. The first set of

vulnerabilities, CVE-2007-5082, occur due to insufficient bounds

checking in multiple CsAgent service commands. The second set of

vulnerabilities, CVE-2007-5083, occur due to insufficient

validation of integer values in multiple CsAgent service commands,

which can lead to buffer overflow. The third set of

vulnerabilities, CVE-2007-5084, occur due to insufficient

validation of strings used in SQL statements in multiple CsAgent

service commands.

Mitigating Factors:

None

Severity: CA has given these vulnerabilities a maximum risk rating

of High.

Affected Products:

CA BrightStor Hierarchical Storage Manager r11.5

Affected Platforms:

Windows

Status and Recommendation:

CA has provided an update to address the vulnerabilities. Upgrade

to BrightStor Hierarchical Storage Manager r11.6.

BrightStor Hierarchical Storage Manager r11.6:

http://supportconnectw.ca.com/premium/bstorhsm/downloads/BHSMr11_6.zip

How to determine if you are affected:

Run the BrightStor HSM Administrator GUI and open Help->About from

the toolbar to view the version. If the version is less than 11.6,

the installation is vulnerable.

Workaround: None

References (URLs may wrap):

CA SupportConnect:

http://supportconnect.ca.com/

CA BrightStor Hierarchical Storage Manager CsAgent Security Notice

http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.a
sp

Solution Document Reference APARs:

n/a

CA Security Advisor posting:

CA BrightStor Hierarchical Storage Manager CsAgent Multiple

Vulnerabilities

http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156444

CA Vuln ID (CAID): 35690, 35691, 35692

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35690

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35691

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35692

Reported By: Sean Larsson, iDefense Labs; an anonymous researcher

working with the iDefense VCP; Aaron Portnoy of DV Labs

(dvlabs.tippingpoint.com)

iDefense advisory:

http://labs.idefense.com/intelligence/vulnerabilities/

ZDI advisory:

http://www.zerodayinitiative.com/advisories.html

CVE References:

CVE-2007-5082, CVE-2007-5083, CVE-2007-5084

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5082

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5083

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5084

OSVDB References: Pending

http://osvdb.org/

Changelog for this advisory:

v1.0 - Initial Release

Customers who require additional information should contact CA

Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,

please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your

findings to vuln AT ca DOT com, or utilize our "Submit a

Vulnerability" form.

URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Regards,

Ken Williams ; 0xE2941985

Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/

Legal Notice http://www.ca.com/us/legal/

Privacy Policy http://www.ca.com/us/privacy/

Copyright (c) 2007 CA. All rights reserved.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus