Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[CAID 35450, 35451, 35452, 35453]: CA Products That Embed Ingres Multiple Vulnerabilities
From: "Williams, James K" <James.Williams () ca com>
Date: Fri, 22 Jun 2007 10:01:30 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: [CAID 35450, 35451, 35452, 35453]: CA Products That Embed 
Ingres Multiple Vulnerabilities

CA Vuln ID (CAID): 35450, 35451, 35452, 35453

CA Advisory Date: 2007-06-21

Reported By: NGSSoftware, and iDefense

Impact: Attackers can potentially execute arbitrary code, or 
overwrite files.

Summary: Various CA products that embed Ingres products contain 
multiple vulnerabilities that can allow an attacker to potentially 
execute arbitrary code. CA has issued fixes, to address all of 
these vulnerabilities, for all supported CA products that may be 
affected.

1) Ingres controllable pointer overwrite vulnerability (reported 
by NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]
Description: An unauthenticated attacker can potentially execute 
arbitrary code within the context of the database server.

2) Ingres remote unauthenticated pointer overwrite #2 (reported by 
NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]
Description: An unauthenticated attacker can exploit a pointer 
overwrite vulnerability to execute arbitrary code within the 
context of the database server.

3) Ingres wakeup file overwrite (reported by NGSSoftware) 
[Ingres bug 115913, CVE-2007-3337, CAID 35451]
Description: The "wakeup" binary creates a file named 
"alarmwkp.def" in the current directory, truncating the file if it 
already exists. The "wakeup" binary is setuid "ingres" and 
world-executable. Consequently, an attacker can truncate a file 
with the privileges of the "ingres" user.

4) Ingres uuid_from_char stack overflow (reported by NGSSoftware) 
[Ingres bug 115911, CVE-2007-3338, CAID 35452]
Description: An attacker can pass a long string as an argument to 
uuid_from_char() to cause a stack buffer overflow and the saved 
returned address can be overwritten.

5) Ingres verifydb local stack overflow (reported by NGSSoftware) 
[Ingres bug 115911, CVE-2007-3338, CAID 35452]
Description: A local attacker can exploit a stack overflow in the 
Ingres verifydb utility duve_get_args function.

6) Communication server heap corruption (reported by iDefense) 
[Ingres bug 117523, CVE-2007-3334, CAID 35453]
Description: An attacker can execute arbitrary code within the 
context of the communications server (iigcc.exe). This only 
affects Ingres on the Windows operating system. Reported by 
iDefense as IDEF2023.

7) Data Access/JDBC server heap corruption (reported by iDefense) 
[Ingres bug 117523, CVE-2007-3334, CAID 35453]
Description: An attacker can execute arbitrary code within the 
context of the Data Access server (iigcd.exe) in r3 or the JDCB 
server in older releases. This only affects Ingres on the Windows 
operating system. Reported by iDefense as IDEF2022.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a cumulative High 
risk rating.

Affected Products:
Advantage Data Transformer r2.2
AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1
AllFusion Harvest Change Manager r7, r7.1
BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, 
   Linux and Mainframe Linux)
BrightStor ARCserve Backup for Laptops and Desktops r11.5
BrightStor Enterprise Backup (Unix only) r10.5
BrightStor Storage Command Center r11.5
BrightStor Storage Resource Manager r11.5
CleverPath Aion Business Rules Expert r10.1
CleverPath Aion Business Process Monitoring r10.1
CleverPath Predictive Analysis Server r3
DocServer 1.1
eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2
eTrust Audit r8 SP2
eTrust Directory r8.1
eTrust IAM Suite r8.0
eTrust IAM Toolkit r8.0, r8.1
eTrust Identity Manager r8.1
eTrust Network Forensics r8.1
eTrust Secure Content Manager r8
eTrust Single Sign-On r7, r8, r8.1
eTrust Web Access Control 1.0
Unicenter Advanced Systems Management r11
Unicenter Asset Intelligence r11
Unicenter Asset Management r11
Unicenter Asset Portfolio Management r11.2.1, r11.3
Unicenter CCS r11
Unicenter Database Command Center r11.1
Unicenter Desktop and Server Management r11
Unicenter Desktop Management Suite r11
Unicenter Enterprise Job Manager r1 SP3, r1 SP4
Unicenter Job Management Option r11
Unicenter Lightweight Portal 2
Unicenter Management Portal r3.1.1
Unicenter Network and Systems Management r3.0, r11
Unicenter Network and Systems Management - Tiered - Multi Platform 
   r3.0 0305, r3.1 0403, r11.0
Unicenter Patch Management r11
Unicenter Remote Control 6, r11
Unicenter Service Accounting r11, r11.1
Unicenter Service Assure r2.2, r11, r11.1
Unicenter Service Catalog r11, r11.1
Unicenter Service Delivery r11.0, r11.1
Unicenter Service Intelligence r11
Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1
Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, 
   r11.1, r11.2
Unicenter Software Delivery r11
Unicenter TNG 2.4, 2.4.2, 2.4.2J
Unicenter Workload Control Center r1 SP3, r1 SP4
Unicenter Web Services Distributed Management 3.11, 3.50
Wily SOA Manager 7.1

Affected Platforms:
All operating system platforms supported by the various CA 
products that embed Ingres. This includes Windows, Linux, and 
supported UNIX platforms.

Status and Recommendation:
CA recommends that customers apply the appropriate fix(es) listed 
on the Security Notice page: 
http://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotic
e.asp

Workaround: None

References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for these vulnerabilities:
Ingres Security Alert
http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp
Important Security Notice for Customers Using Products That Embed 
Ingres
http://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotic
e.asp
CA Security Advisor posting: 
CA Products That Embed Ingres Multiple Vulnerabilities
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778
CA Vuln ID (CAID): 35450, 35451, 35452, 35453
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35450
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35451
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35452
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35453
Ingres knowledge base document:
http://servicedesk.ingres.com/CAisd/pdmweb.ingres?OP=SHOW_DETAIL+PERSID=KD:
415738+HTMPL=kt_document_view.htmpl
Reported By: NGSSoftware, and iDefense
NGSSoftware Advisory: 
http://www.ngssoftware.com/research/advisories/
iDefense Advisory: 
Ingres Database Multiple Heap Corruption Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546
CVE References:
CVE-2007-3336, CVE-2007-3337, CVE-2007-3338, CVE-2007-3334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3334
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a 
Vulnerability" form. 
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749
        
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFGe9YqeSWR3+KUGYURAvY1AJ9hZG1D3gnNiE9proluMzGi9/X21wCeKlmm
fcGU0w2ZcX1NIj3oxbnOLzI=
=Nzdp
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [CAID 35450, 35451, 35452, 35453]: CA Products That Embed Ingres Multiple Vulnerabilities Williams, James K (Jun 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault