CA Hierarchical Storage Manager Buffer Overflow Vulnerabilities
TPTI-07-16: October 2nd, 2007
Hierarchical Storage Manager r11.5
TippingPoint™ IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4922. For further product information on the TippingPoint IPS:
These vulnerabilities allow a remote attacker to execute arbitrary code on vulnerable installations of Computer Associates' BrightStor Hierarchical Storage Manager. Authentication is not required to exploit these vulnerabilities.
The specific flaws exist in the CsAgent service that listens by default on TCP port 2000. An opcode parsing switch statement multiplexes data funneling across various vulnerable routines. A user-supplied DWORD size value is assumed by the vulnerable agent to contain the correct length of the subsequent data and is passed directly to memory allocation routines. At least 26 out of the available 68 opcodes are vulnerable to various overflows that allow for remote code execution due to insecure data copy operations, including: 0x01, 0x06 - 0x09, 0x0d, 0x10, 0x16 - 0x18, 0x1E, 0x1F, 0x21, 0x22, 0x26, 0x27, 0x29, 0x32, 0x36, 0x38, 0x3A - 0x3C, 0x3E and 0x40.
Computer Associates has issued an update to correct this vulnerability. More details can be found at:
2006-11-01 - Vulnerability reported to vendor
2007-10-02 - Coordinated public release of advisory
This vulnerability was discovered by:
Aaron Portnoy, TippingPoint DVLabs