Title: CA20090107-01: CA Service Metric Analysis and CA Service
Level Management smmsnmpd Arbitrary Command Execution
Vulnerability
CA Advisory Reference: CA20090107-01
CA Advisory Date: 2009-01-07
Reported By:
Michel Arboi of Tenable Network Security
Impact: A remote attacker can execute arbitrary commands.
Summary: CA Service Metric Analysis and CA Service Level
Management contain a vulnerability that can allow a remote
attacker to execute arbitrary commands. CA has issued patches to
address the vulnerability. The vulnerability, CVE-2009-0043,
is due to insufficient access restrictions associated with the
smmsnmpd service. A remote attacker can exploit this vulnerability
to execute arbitrary commands in the context of the service.
Mitigating Factors: None
Severity: CA has given this vulnerability a High risk rating.
Affected Products:
CA Service Level Management 3.5
CA Service Metric Analysis r11.0
CA Service Metric Analysis r11.1
CA Service Metric Analysis r11.1 SP1
Affected Platforms:
Windows
Status and Recommendation:
CA has issued the following patches to address the
vulnerabilities.
CA Service Level Management 3.5:
RO04649
CA Service Metric Analysis r11.0:
RO04653
CA Service Metric Analysis r11.1,
CA Service Metric Analysis r11.1 SP1:
RO04667
How to determine if you are affected:
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
CA20090107-01: Security Notice for CA Service Metric Analysis and
CA Service Level Management
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1961
48
Solution Document Reference APARs:
RO04649, RO04653, RO04667
CA Security Response Blog posting:
CA20090107-01: CA Service Metric Analysis and CA Service Level
Management smmsnmpd Arbitrary Command Execution Vulnerability
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/07.aspx
Reported By:
Michel Arboi of Tenable Network Security
http://www.tenablesecurity.com/
CVE References:
CVE-2009-0043 - SMA smmsnmpd command execution
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0043
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82
Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved.