CA20170504-01: Security Notice for CA Client Automation OS
Installation Management
Issued: May 4, 2017
Last Updated: May 4, 2017
CA Technologies is alerting customers to a potential risk with CA
Client Automation OS Installation Management. A vulnerability exists
that can allow a local attacker to gain sensitive information on
operating systems installations created by CA Client Automation OS
Installation Management. A solution is available.
The vulnerability, CVE-2017-8391, occurs due to insecure storage of
account credentials used by OS Installation Management during
operating system installation. A local attacker can potentially
access a sensitive file containing account credentials and decrypt
a password. Depending on the privileges associated with the
credentials, an attacker can potentially gain further access. This
vulnerability only affects operating system installations created by
CA Client Automation with OS Installation Management.
Risk Rating
High
Platform(s)
Windows, Linux
Affected Products
Only CA Client Automation releases implementing OS Installation
Management are vulnerable.
CA Client Automation r14.0, r14.0 SP1
CA Client Automation r12.9
CA Client Automation (formerly CA IT Client Manager) Release and
Support Lifecycle Dates
How to determine if the installation is affected
Customers may review the technical document in the solution section
to determine if any operating system installation created by CA
Client Automation OS Installation Management is affected.
Solution
CA Technologies published the following solution to address the
vulnerability.
CA Client Automation, all releases:
Follow the instructions in TEC1911981
References
CVE-2017-8391 - Client Automation OS Installation Management
insecure password storage
Acknowledgement
CVE-2017-8391 - Christoph Falta
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln <AT> ca.com
Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782
Regards,
Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response Team
Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.