CA BrightStor Hierarchical Storage Manager executes arbitrary code
Computer Associates have released a security advisory in which they report the discovery of vulnerabilities in their BrightStor Hierarchical Storage Manager. Attackers can exploit the holes to inject arbitrary code or crash the service. An update has been released to close the holes.
Whilst the CA advisory does not provide any details of the vulnerabilities, it does categorize the risk as critical. The vendor indicates that the CsAgent service does not check the length of some commands adequately. In addition, the software does not correctly check integer values it receives, which can result in buffer overflows. The result of the insufficient validation of strings in SQL statements remains unclear.
The advisory mentions entries in the Common Vulnerabilities and Exposures (CVE) database, but they have not yet been published. However, security service providers iDefense and TippingPoint, who originally reported the flaws to CA, will probably soon release their own security advisories containing detailed descriptions of the vulnerabilities.
According to CA, the version 11.5 and previous versions of the Hierarchical Storage Manager's CsAgent service for Windows are affected. Updating to version 11.6 closes the holes. Administrators are advised to install the update immediately.
- CA BrightStor Hierarchical Storage Manager CsAgent Security Notice, Security advisory from CA
- Download the update (registration required)