{"id": "SECURITYVULNS:DOC:26181", "bulletinFamily": "software", "title": "ZDI-11-126: CA Total Defense Suite Heartbeat Web Service Remote Code Execution Vulnerability", "description": "ZDI-11-126: CA Total Defense Suite Heartbeat Web Service Remote Code Execution Vulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-126\r\n\r\nApril 13, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-1654\r\n\r\n-- CVSS:\r\n10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n-- Affected Vendors:\r\nCA\r\n\r\n-- Affected Products:\r\nCA Total Defense Suite\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 11071. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of CA Total Defense Endpoint. Authentication is\r\nnot required to exploit this vulnerability. \r\n\r\nThe specific flaw exists within CA.Itm.Server.ManagementWS.dll. Due to a\r\nfailure to properly sanitize user-controlled input, it is possible for a\r\nremote unauthenticated attacker to upload and subsequently execute\r\narbitrary code under the context of the CA Total Defense Heartbeat Web\r\nservice. Requests delivered to FileUploadHandler.ashx are subject to\r\narbitrary file writes, including directory traversal attacks, in the\r\nGUID parameter. The Heartbeat Web service listens for HTTP requests on\r\nport 8008 and 44344 for HTTPS. \r\n\r\n-- Vendor Response:\r\nCA has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}\r\n\r\n-- Disclosure Timeline:\r\n2011-01-21 - Vulnerability reported to vendor\r\n2011-04-13 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Andrea Micalizzi aka rgod\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "published": "2011-04-19T00:00:00", "modified": "2011-04-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26181", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-1654"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:40", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "6be2bee2e50a0e99e4e6f5c4909d2ef4"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "9ffabcbec69b7c9e7faf6b148a6fd54d"}, {"key": "href", "hash": "5c9a1e3c929c9e2c0734c2a7ec31d66e"}, {"key": "modified", "hash": "91b5d7348b90a778d75c92d72420cae3"}, {"key": "published", "hash": "91b5d7348b90a778d75c92d72420cae3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "b96c65d9456c19eb22e1a78f31c2d2ab"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "31c76891a9ec00dc618e6aafad8097aa103da979532bd2b10a3d0a86b3e121b9", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:10:40"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1654"]}, {"type": "zdi", "idList": ["ZDI-11-126"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11608", "SECURITYVULNS:DOC:26172"]}], "modified": "2018-08-31T11:10:40"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": []}

{"cve": [{"lastseen": "2018-10-10T11:34:11", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in the Heartbeat Web Service in CA.Itm.Server.ManagementWS.dll in the Management Server in CA Total Defense (TD) r12 before SE2 allows remote attackers to execute arbitrary code via directory traversal sequences in the GUID parameter in an upload request to FileUploadHandler.ashx.", "modified": "2018-10-09T15:31:28", "published": "2011-04-18T11:00:43", "id": "CVE-2011-1654", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1654", "title": "CVE-2011-1654", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:12", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of CA Total Defense Endpoint. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within CA.Itm.Server.ManagementWS.dll. Due to a failure to properly sanitize user-controlled input, it is possible for a remote unauthenticated attacker to upload and subsequently execute arbitrary code under the context of the CA Total Defense Heartbeat Web service. Requests delivered to FileUploadHandler.ashx are subject to arbitrary file writes, including directory traversal attacks, in the GUID parameter. The Heartbeat Web service listens for HTTP requests on port 8008 and 44344 for HTTPS.", "modified": "2011-11-09T00:00:00", "published": "2011-04-13T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-126", "id": "ZDI-11-126", "title": "CA Total Defense Suite Heartbeat Web Service Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nCA20110413-01: Security Notice for CA Total Defense\r\n\r\nIssued: April 13, 2011\r\n\r\nCA Technologies support is alerting customers to security risks with\r\nCA Total Defense. Multiple vulnerabilities exist that can allow a\r\nremote attacker to possibly execute arbitrary code. CA issued an\r\nautomatic update to address the vulnerabilities.\r\n\r\nThe first set of vulnerabilities, CVE-2011-1653, are due to\r\ninsufficient handling of certain request parameters. A remote\r\nattacker can use various SQL injection attacks to potentially\r\ncompromise the Unified Network Control (UNC) Server.\r\n\r\nThe second vulnerability, CVE-2011-1654, occurs due to insufficient\r\nhandling of file upload parameters. A remote attacker can upload a\r\nfile and use it to execute arbitrary code on the Total Defense\r\nManagement Server.\r\n\r\nThe third vulnerability, CVE-2011-1655, is due to insufficient\r\nprotection of sensitive information. A remote attack can acquire\r\naccount credentials and take privileged action on the Unified Network\r\nControl (UNC) Server.\r\n\r\nRisk Rating\r\n\r\nHigh\r\n\r\nPlatform\r\n\r\nWindows\r\n\r\nAffected Products\r\n\r\nCA Total Defense r12\r\n\r\nNon-Affected Products\r\n\r\nCA Total Defense r12 SE2\r\n\r\nHow to determine if the installation is affected\r\n\r\nThese Total Defense components will be updated to the following\r\nversions once SE2 is installed:\r\n\r\nTD Management Server Core: 12.0.0.621\r\nUNC: 12.0.0.622\r\n\r\nIf either component is not updated to the specified version or later,\r\nthe installation may be vulnerable.\r\n\r\nSolution\r\n\r\nInstall the SE2 update. If content updates are enabled, the update\r\nwill happen automatically. The update was made available April 4,\r\n2011.\r\n\r\nSee the following announcement for more information:\r\n\r\nCA Total Defense r12 SE2 Content Update is Now Available\r\n(url line wraps)\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={6\r\nC750E92-D109-4F7D-BA41-8D468B2E31B1}\r\n\r\nReferences\r\n\r\nCVE-2011-1653 - Total Defense SQL injections\r\nCVE-2011-1654 - Total Defense file upload\r\nCVE-2011-1655 - Total Defense credential exposure\r\n\r\nCA20110413-01: Security Notice for CA Total Defense\r\n(url line wraps)\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={C\r\nD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}\r\n\r\nAcknowledgement\r\n\r\nCVE-2011-1653, CVE-2011-1654, CVE-2011-1655 - Andrea Micalizzi\r\nthrough the TippingPoint ZDI\r\n\r\nChange History\r\n\r\nVersion 1.0: Initial Release\r\n\r\nIf additional information is required, please contact CA Technologies\r\nSupport at http://support.ca.com/.\r\n\r\nIf you discover a vulnerability in CA Technologies products, please\r\nreport your findings to the CA Technologies Product Vulnerability\r\nResponse Team.\r\n(url line wraps)\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17\r\n7782\r\n\r\nRegards,\r\n\r\nKevin Kotas\r\nCA Product Vulnerability Response Team\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQEVAwUBTaYTCZI1FvIeMomJAQFCSwgAttFjeDwbHrVyTNtO3ZhYkpphbszMUOVT\r\nJfOGb9vX9tzBa+u09OFRyAZic15zxzq6ilJzdwRqo5c1IXi+m4lOS6D1C5zrCIoA\r\nZMo9EAmhTNROEoTAY6sEegapA+yTykcNXwmFygYu3vHqCbNhl0JZqjOgrm+563FL\r\nR3zxfjxX6SGUaEGkdVoluUHIEwK+nGGEQ8cLW5cI0unRwerewOwvBj9gwraodmAF\r\nfrjl7A4O7VYtHgfNoVDBKqsff8cvlzNSNTx1xma+p0MT9j7wvggI6c3hCKoua4dz\r\nn4uEP7i0QeMH5V9HqeFUduz3cGCBdlXbMEht7psUBadtE9+cOsrLgA==\r\n=W8ut\r\n-----END PGP SIGNATURE-----", "modified": "2011-04-19T00:00:00", "published": "2011-04-19T00:00:00", "id": "SECURITYVULNS:DOC:26172", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26172", "title": "CA20110413-01: Security Notice for CA Total Defense", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "description": "SQL injection, directory traversal, information leakage, unauthorized access.", "modified": "2011-04-19T00:00:00", "published": "2011-04-19T00:00:00", "id": "SECURITYVULNS:VULN:11608", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11608", "title": "CA TotalDefence multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}