In association with heise online

27 September 2007, 13:25

CA BrightStor Hierarchical Storage Manager executes arbitrary code

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Computer Associates have released a security advisory in which they report the discovery of vulnerabilities in their BrightStor Hierarchical Storage Manager. Attackers can exploit the holes to inject arbitrary code or crash the service. An update has been released to close the holes.

Whilst the CA advisory does not provide any details of the vulnerabilities, it does categorize the risk as critical. The vendor indicates that the CsAgent service does not check the length of some commands adequately. In addition, the software does not correctly check integer values it receives, which can result in buffer overflows. The result of the insufficient validation of strings in SQL statements remains unclear.

The advisory mentions entries in the Common Vulnerabilities and Exposures (CVE) database, but they have not yet been published. However, security service providers iDefense and TippingPoint, who originally reported the flaws to CA, will probably soon release their own security advisories containing detailed descriptions of the vulnerabilities.

According to CA, the version 11.5 and previous versions of the Hierarchical Storage Manager's CsAgent service for Windows are affected. Updating to version 11.6 closes the holes. Administrators are advised to install the update immediately.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit