CA Client Automation OS Installation Management Insecure Storage

A vulnerability exists due to insecure storage of account credentials used by OS Installation Management during operating system installation. A local attacker can potentially access a sensitive file containing account credentials and decrypt a password. Depending on the privileges associated with the credentials, an attacker can potentially gain further access. This vulnerability only affects operating system installations created by CA Client Automation with OS Installation Management. Versions affected include CA Client Automation r14.0, r14.0 SP1 and CA Client Automation r12.9.


MD5 | e4ca172ffb35ae03e75e26a740f6a6f7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CA20170504-01: Security Notice for CA Client Automation OS
Installation Management

Issued: May 4, 2017
Last Updated: May 4, 2017

CA Technologies is alerting customers to a potential risk with CA
Client Automation OS Installation Management. A vulnerability exists
that can allow a local attacker to gain sensitive information on
operating systems installations created by CA Client Automation OS
Installation Management. A solution is available.

The vulnerability, CVE-2017-8391, occurs due to insecure storage of
account credentials used by OS Installation Management during
operating system installation. A local attacker can potentially
access a sensitive file containing account credentials and decrypt
a password. Depending on the privileges associated with the
credentials, an attacker can potentially gain further access. This
vulnerability only affects operating system installations created by
CA Client Automation with OS Installation Management.

Risk Rating

High

Platform(s)

Windows, Linux

Affected Products

Only CA Client Automation releases implementing OS Installation
Management are vulnerable.

CA Client Automation r14.0, r14.0 SP1
CA Client Automation r12.9

CA Client Automation (formerly CA IT Client Manager) Release and
Support Lifecycle Dates

How to determine if the installation is affected

Customers may review the technical document in the solution section
to determine if any operating system installation created by CA
Client Automation OS Installation Management is affected.

Solution

CA Technologies published the following solution to address the
vulnerability.

CA Client Automation, all releases:

Follow the instructions in TEC1911981

References

CVE-2017-8391 - Client Automation OS Installation Management
insecure password storage

Acknowledgement

CVE-2017-8391 - Christoph Falta

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response Team

Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsFVAwUBWQyL5MMr2sgsME5lAQraoxAAnuqXSlrCUIZrmwY1+JdqmclxgSEn7OJi
StmIM2ujSaZhNcrk9uAbXEmdsIiuOPKYsqPjDZLqLjv//EO8KTmgfvuclwITtUax
ik8Bio4+w1HEIuqVaaO+RTP00y+NzsyVrDX5wilW2xLXYgC3yfqOUevFIvCWG8vW
DVlQAkSt1PSEPfc4JBt3kYK20QJ1ZpASfxss4FGxc4emtpT34bPZKn3hh9MYa9A5
Qmejo0cWHqic6g3Xu/4t23yuE19YzrMyhCIC796Ak4TIv8r+aQZXkUTWxkSUV6Cs
eBsnqv/Fut5oOMYQBZmhDE5aLNEGyT+Xy4SinNOcBeCQt2I3Ym2N4XjfXsmux+JF
zVIeN6fbz7g7Xnih8NQMHW/pdNv3tzesI2vVJDrzSp7s563H0B8hbMu2hHHeALZQ
AoDqf9+cugBtt3GSyhshb2NDw0zYHPpVRkTrkU5QCq3LC+Kl4lpclfmoc+C5mXd/
vX94Z22Nr57KBSqNs4xaefHRgvxirwkK/t7ersuoPbDXBra3v89QYb9//IkIc4vz
cVoXJin7yLCf3TIAQE17P0mAUTGKxfZWZwR54vbeZzSp4eh1EMtuxeyr+v5MDwuP
YeTcr9wSFOux99bufHDfpp7h8eqFAelkx/SskCOQ8503sChss6yUOEaP+80yDau2
42isb+fV/dc=
=kkkx
-----END PGP SIGNATURE-----

Related Posts