[<prev] [next>] [day] [month] [year] [list]
Message-ID: <649CDCB56C88AA458EFF2CBF494B6204030A79CE@USILMS12.ca.com>
Date: Fri, 22 Jun 2007 10:01:30 -0400
From: "Williams, James K" <James.Williams@...com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: [CAID 35450, 35451, 35452,
35453]: CA Products That Embed Ingres Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: [CAID 35450, 35451, 35452, 35453]: CA Products That Embed
Ingres Multiple Vulnerabilities
CA Vuln ID (CAID): 35450, 35451, 35452, 35453
CA Advisory Date: 2007-06-21
Reported By: NGSSoftware, and iDefense
Impact: Attackers can potentially execute arbitrary code, or
overwrite files.
Summary: Various CA products that embed Ingres products contain
multiple vulnerabilities that can allow an attacker to potentially
execute arbitrary code. CA has issued fixes, to address all of
these vulnerabilities, for all supported CA products that may be
affected.
1) Ingres controllable pointer overwrite vulnerability (reported
by NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]
Description: An unauthenticated attacker can potentially execute
arbitrary code within the context of the database server.
2) Ingres remote unauthenticated pointer overwrite #2 (reported by
NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]
Description: An unauthenticated attacker can exploit a pointer
overwrite vulnerability to execute arbitrary code within the
context of the database server.
3) Ingres wakeup file overwrite (reported by NGSSoftware)
[Ingres bug 115913, CVE-2007-3337, CAID 35451]
Description: The "wakeup" binary creates a file named
"alarmwkp.def" in the current directory, truncating the file if it
already exists. The "wakeup" binary is setuid "ingres" and
world-executable. Consequently, an attacker can truncate a file
with the privileges of the "ingres" user.
4) Ingres uuid_from_char stack overflow (reported by NGSSoftware)
[Ingres bug 115911, CVE-2007-3338, CAID 35452]
Description: An attacker can pass a long string as an argument to
uuid_from_char() to cause a stack buffer overflow and the saved
returned address can be overwritten.
5) Ingres verifydb local stack overflow (reported by NGSSoftware)
[Ingres bug 115911, CVE-2007-3338, CAID 35452]
Description: A local attacker can exploit a stack overflow in the
Ingres verifydb utility duve_get_args function.
6) Communication server heap corruption (reported by iDefense)
[Ingres bug 117523, CVE-2007-3334, CAID 35453]
Description: An attacker can execute arbitrary code within the
context of the communications server (iigcc.exe). This only
affects Ingres on the Windows operating system. Reported by
iDefense as IDEF2023.
7) Data Access/JDBC server heap corruption (reported by iDefense)
[Ingres bug 117523, CVE-2007-3334, CAID 35453]
Description: An attacker can execute arbitrary code within the
context of the Data Access server (iigcd.exe) in r3 or the JDCB
server in older releases. This only affects Ingres on the Windows
operating system. Reported by iDefense as IDEF2022.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a cumulative High
risk rating.
Affected Products:
Advantage Data Transformer r2.2
AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1
AllFusion Harvest Change Manager r7, r7.1
BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix,
Linux and Mainframe Linux)
BrightStor ARCserve Backup for Laptops and Desktops r11.5
BrightStor Enterprise Backup (Unix only) r10.5
BrightStor Storage Command Center r11.5
BrightStor Storage Resource Manager r11.5
CleverPath Aion Business Rules Expert r10.1
CleverPath Aion Business Process Monitoring r10.1
CleverPath Predictive Analysis Server r3
DocServer 1.1
eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2
eTrust Audit r8 SP2
eTrust Directory r8.1
eTrust IAM Suite r8.0
eTrust IAM Toolkit r8.0, r8.1
eTrust Identity Manager r8.1
eTrust Network Forensics r8.1
eTrust Secure Content Manager r8
eTrust Single Sign-On r7, r8, r8.1
eTrust Web Access Control 1.0
Unicenter Advanced Systems Management r11
Unicenter Asset Intelligence r11
Unicenter Asset Management r11
Unicenter Asset Portfolio Management r11.2.1, r11.3
Unicenter CCS r11
Unicenter Database Command Center r11.1
Unicenter Desktop and Server Management r11
Unicenter Desktop Management Suite r11
Unicenter Enterprise Job Manager r1 SP3, r1 SP4
Unicenter Job Management Option r11
Unicenter Lightweight Portal 2
Unicenter Management Portal r3.1.1
Unicenter Network and Systems Management r3.0, r11
Unicenter Network and Systems Management - Tiered - Multi Platform
r3.0 0305, r3.1 0403, r11.0
Unicenter Patch Management r11
Unicenter Remote Control 6, r11
Unicenter Service Accounting r11, r11.1
Unicenter Service Assure r2.2, r11, r11.1
Unicenter Service Catalog r11, r11.1
Unicenter Service Delivery r11.0, r11.1
Unicenter Service Intelligence r11
Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1
Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11,
r11.1, r11.2
Unicenter Software Delivery r11
Unicenter TNG 2.4, 2.4.2, 2.4.2J
Unicenter Workload Control Center r1 SP3, r1 SP4
Unicenter Web Services Distributed Management 3.11, 3.50
Wily SOA Manager 7.1
Affected Platforms:
All operating system platforms supported by the various CA
products that embed Ingres. This includes Windows, Linux, and
supported UNIX platforms.
Status and Recommendation:
CA recommends that customers apply the appropriate fix(es) listed
on the Security Notice page:
http://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotic
e.asp
Workaround: None
References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for these vulnerabilities:
Ingres Security Alert
http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp
Important Security Notice for Customers Using Products That Embed
Ingres
http://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotic
e.asp
CA Security Advisor posting:
CA Products That Embed Ingres Multiple Vulnerabilities
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778
CA Vuln ID (CAID): 35450, 35451, 35452, 35453
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35450
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35451
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35452
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35453
Ingres knowledge base document:
http://servicedesk.ingres.com/CAisd/pdmweb.ingres?OP=SHOW_DETAIL+PERSID=KD:
415738+HTMPL=kt_document_view.htmpl
Reported By: NGSSoftware, and iDefense
NGSSoftware Advisory:
http://www.ngssoftware.com/research/advisories/
iDefense Advisory:
Ingres Database Multiple Heap Corruption Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546
CVE References:
CVE-2007-3336, CVE-2007-3337, CVE-2007-3338, CVE-2007-3334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3334
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a
Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFGe9YqeSWR3+KUGYURAvY1AJ9hZG1D3gnNiE9proluMzGi9/X21wCeKlmm
fcGU0w2ZcX1NIj3oxbnOLzI=
=Nzdp
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists