OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
CA20121001-01: Security Notice for CA License

From: Williams, James K (James.Williamsca.com)
Date: Mon Oct 01 2012 - 15:00:12 CDT




CA20121001-01: Security Notice for CA License

Issued: October 01, 2012


CA Technologies Support is alerting customers to two potential risks in CA
License (also known as CA Licensing). Vulnerabilities exist that can
allow a local attacker to execute arbitrary commands or gain elevated
access. CA Technologies has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2012-0691, occurs due to insecure use of
system commands. An unprivileged user can exploit this vulnerability to
execute commands with system or administrator privileges.

The second vulnerability, CVE-2012-0692, occurs due to inadequate user
validation. An unprivileged user can exploit this vulnerability to create
or modify arbitrary files and gain elevated access.


Risk Rating

High


Affected Platforms

AIX 5.x
DEC
HP-UX
Linux
Mac OS X
Solaris
Windows


Affected Products

CA Aion Business Rules Expert r11.0
CA ARCserve Backup r12.5, r15, r16
CA ARCserve Central Protection Manager r16
CA ARCserve Central Reporting r16
CA ARCserve D2D r15, r16, r16 On Demand
CA ARCserve Central Host Based VM Backup (formerly CA ARCserve Host Based
   VM Backup) r16
CA ARCserve Central Virtual Standby (formerly CA ARCserve Virtual
   Conversion Manager) r16
CA Automation Point r11.2, r11.3
CA Client Automation (formerly CA Desktop and Server Management) r12.0,
   r12.0 SP1, r12.5
CA Common Services (CCS) r11.2 SP2
CA ControlMinder (formerly CA Access Control) 12.5, 12.6
CA ControlMinder for Virtual Environments (formerly CA Access Control for
   Virtual Environments) 2.0
CA Database Management r11.3, r11.4, r11.5
CA Directory 8.1
CA Easytrieve for Windows and UNIX 11.0, 11.1
CA Easytrieve for Linux PC 11.6
CA Erwin Data Modeler r7.x
CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5
CA Gen r8
CA IdentityMinder (formerly CA Identity Manager) r12 CR16 and earlier
CA Insight Database Performance Manager 11.3, 11.4, 11.5
CA IT Asset Manager (ITAM) r12.6 and earlier
CA IT Client Manager r12.0, r12.0 SP1, r12.5
CA IT Inventory Manager r12.0, r12.0 SP1, r12.5
CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2
CA Output Management Web Viewer 11.5
CA Plex r6, r6.1
CA Repository for Distributed Systems r2.3
CA Service Accounting r12.5, r12.6
CA Service Catalog r12.5, r12.6
CA Service Desk Manager r12.1, r12.5, r12.6
CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier
CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3
CA Software Compliance Manager r12.0, r12.6
CA Storage Resource Manager (SRM) 11.8, 12.6
CA TSreorg for Distributed Databases 11.3, 11.4, 11.5
CA Unicenter Asset Portfolio Management r11.3, r11.3.4, r12.6
CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3
CA Workload Automation DE r11.3
CA XCOM Data Transport Gateway PC Linux r11.5
CA XCOM Data Transport Gateway Windows r11.5
CA XCOM Data Transport for PC Linux r11.5
CA XCOM Data Transport for Windows r11.5
CA XCOM Data Transport Management Center for PC Linux r11.5
CA XCOM Data Transport Management Center for Windows r11.5


Affected Components

CA License 1.90.02 and earlier


Non-Affected Products

CA ControlMinder (formerly CA Access Control) 12.6 SP1
CA Client Automation 12.5 SP1
CA Directory r12.0 SP1 or later
CA Gen r8.5
CA IdentityMinder (formerly CA Identity Manager) r12.5
CA IT Client Manager r12.5.SP1
CA IT Inventory Manager r12.5.SP1
CA Plex r7.0
CA Service Accounting r12.7
CA Service Catalog r12.7
CA Service Desk Manager r12.7
CA Single Sign-On (SSO) r12.1 CR5
CA Storage Resource Manager (SRM) 12.6 SP1
CA Workload Automation DE r11.1 (does not use CA License)


Non-Affected Components

CA License 1.90.03 or later


How to determine if the installation is affected

All versions of CA License before 1.90.03 are vulnerable.

The installed version of CA License can be obtained by using the
“lic98version” program. Lic98version retrieves the version of CA License
installed on a machine along with the version of specific individual files.
The version information is written to the lic98version.log file located in
the CA License installation location, and is also displayed on the console.


Solution

CA has issued patches to address the vulnerability.


For all CA product installations on Linux, please note these Linux-specific
instructions:

1. First, make backups of the ca.olf file and the lic98.dat file.
2. Uninstall the existing/old version of CA License.
3. Perform the installation of CA License 1.90.04.
4. Confirm the successful installation of 1.9.04, and then replace the
        existing ca.olf file and lic98.dat file with the files you backed
        up in step 1.

If additional information is required, please contact CA Technologies
Support at https://support.ca.com/


CA Aion Business Rules Expert r11.0:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA ALP License Update for Windows:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={2B524FD2-9275-4820-997F-E9C0BC0DE768}

CA ARCserve products:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Automation Point r11.2:
Install SP5 when available.

CA Automation Point r11.3:
Install SP2, which uses CA License v1.90.04.

CA Client Automation r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later
for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Common Services (CCS) r11.2 SP2:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA ControlMinder (formerly known as CA Access Control) 12.5, 12.6:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA ControlMinder for Virtual Environments 2.0 (formerly known as ACVE):
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Database Management r11.3, r11.4, r11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Directory 8.1:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Easytrieve 11.0, 11.1:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Easytrieve 11.6 for Linux PC:
Download and install CA License v1.90.04 or later:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Erwin Data Modeler r7.x:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Gen r8:
Upgrade to CA Gen r8.5, or download and install CA License v1.90.04 or
later for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA IdentityMinder (formerly known as CA Identity Manager) r12 CR16 and
earlier:
Upgrade to r12.5, or download and install CA License v1.90.04 or later for
Windows and Linux platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Insight Database Performance Manager 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA IT Asset Manager (ITAM) r12.6 and earlier:
Apply RI40652 for UAPM 11.3.4
Apply RI40653 for APM 12.6
Apply RI40654 for CASWCM 12.6
Apply RI40655 for CASWCM 12.0

CA IT Client Manager r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later
for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA IT Inventory Manager r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later
for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Output Management Web Viewer 11.5:
Apply RI36100

CA Plex r6.1:
Upgrade to CA Plex r7.0

CA Repository for Distributed Systems r2.3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Service Accounting r12.5:
Apply RO40603 (PIB RI40667)

CA Service Accounting r12.6:
Apply RO40613 (PIB RI40669)

CA Service Catalog r12.5:
Apply RO40603 (PIB RI40667)

CA Service Catalog r12.6:
Apply RO40613 (PIB RI40669)

CA Service Desk Manager r12.1, r12.5, r12.6:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
(Note that you will need to stop all SSO server services (including Access
Control and Directory) before upgrading the License component.)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Software Compliance Manager r12.0:
Apply RI40655

CA Software Compliance Manager r12.6:
Apply RI40654

CA SRM 11.8:
Apply RI35825 (CA License Vulnerability Fix)

CA SRM 12.6:
Apply RI35823 (CA License Vulnerability Fix)

CA TSreorg for Distributed Databases 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Unicenter Asset Portfolio Management r11.3, r11.3.4:
Apply RI40652

CA Unicenter Asset Portfolio Management r12.6:
Apply RI40653

CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Workload Automation DE r11.3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA XCOM Data Transport Gateway PC Linux r11.5:
Apply RI36093

CA XCOM Data Transport Gateway Windows r11.5:
Apply RI36094

CA XCOM Data Transport for PC Linux r11.5:
Apply RI36091

CA XCOM Data Transport for Windows 11.5:
Apply RI36090

CA XCOM Data Transport Management Center for PC Linux 11.5:
Apply RI38961

CA XCOM Data Transport Management Center for Windows 11.5:
Apply RI38984


Workaround

None


References

CVE-2012-0691 – CA License system command usage
CVE-2012-0692 – CA License user validation weakness


Acknowledgement

CVE-2012-0691 – Raphael Rigo, ANSSI (French Network and Information
                Security Agency)
CVE-2012-0692 – Raphael Rigo, ANSSI (French Network and Information
                Security Agency)


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Technologies
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22ca.com


Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.