Issued: May 04, 2017
Last Updated: May 04, 2017
CA Technologies is alerting customers to a potential risk with CA Client Automation OS Installation Management. A vulnerability exists that can allow a local attacker to gain sensitive information on operating systems installations created by CA Client Automation OS Installation Management. A solution is available.
The vulnerability, CVE-2017-8391, occurs due to insecure storage of account credentials used by OS Installation Management during operating system installation. A local attacker can potentially access a sensitive file containing account credentials and decrypt a password. Depending on the privileges associated with the credentials, an attacker can potentially gain further access. This vulnerability only affects operating system installations created by CA Client Automation with OS Installation Management.
Only CA Client Automation releases implementing OS Installation Management are vulnerable.
CA Client Automation r14.0, r14.0 SP1
CA Client Automation r12.9
How to determine if the installation is affected
Customers may review the technical document in the solution section to determine if any operating system installation created by CA Client Automation OS Installation Management is affected.
CA Technologies published the following solution to address the vulnerability.
CA Client Automation, all releases:
Follow the instructions in TEC1911981
CVE-2017-8391 - Client Automation OS Installation Management insecure password storage
CVE-2017-8391 - Christoph Falta
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.