CA Products Scan Job Description Format String Vulnerability

Affected Software: 


CA eTrust PestPatrol Anti-Spyware Corporate Edition 8.x
CA Integrated Threat Management (ITM) 8.x
eTrust Antivirus 8.x


A vulnerability has been reported in some CA products, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.


The vulnerability is caused due to a format string error within the handling of the description field of a scan job. This can be exploited to cause the affect products to crash and may allow arbitrary code execution via a specially crafted scan job description that contains format string specifiers.


Successful exploitation requires that the user is able to create a scan job.


The vulnerability has been reported in the following products:
* CA Integrated Threat Management r8
* eTrust Antivirus r8
* eTrust PestPatrol Anti-Spyware Corporate Edition r8


Solution:  The vulnerability has been fixed in Content Update build 432 via the content update mechanism.


http://secunia.com/advisories/20856/

Leave a Reply