CA20170504-01: Security Notice for CA Client Automation OS Installation Management Issued: May 4, 2017 Last Updated: May 4, 2017 CA Technologies is alerting customers to a potential risk with CA Client Automation OS Installation Management. A vulnerability exists that can allow a local attacker to gain sensitive information on operating systems installations created by CA Client Automation OS Installation Management. A solution is available. The vulnerability, CVE-2017-8391, occurs due to insecure storage of account credentials used by OS Installation Management during operating system installation. A local attacker can potentially access a sensitive file containing account credentials and decrypt a password. Depending on the privileges associated with the credentials, an attacker can potentially gain further access. This vulnerability only affects operating system installations created by CA Client Automation with OS Installation Management. Risk Rating High Platform(s) Windows, Linux Affected Products Only CA Client Automation releases implementing OS Installation Management are vulnerable. CA Client Automation r14.0, r14.0 SP1 CA Client Automation r12.9 CA Client Automation (formerly CA IT Client Manager) Release and Support Lifecycle Dates How to determine if the installation is affected Customers may review the technical document in the solution section to determine if any operating system installation created by CA Client Automation OS Installation Management is affected. Solution CA Technologies published the following solution to address the vulnerability. CA Client Automation, all releases: Follow the instructions in TEC1911981 References CVE-2017-8391 - Client Automation OS Installation Management insecure password storage Acknowledgement CVE-2017-8391 - Christoph Falta Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.