CA20091208-01 : Security Notice for CA Service Desk

Issued: December 8, 2009

CA's support is alerting customers to a security risk with CA Service Desk. A cross-site scripting vulnerability exists that can allow a remote attacker to potentially gain sensitive information. CA has issued patches to address the vulnerability.

The vulnerability, CVE-2009-4149, is due to insufficient verification of a web interface variable. An attacker, who can lure a user into following a URL, can conduct cross-site scripting.

Risk Rating

Low

Platforms

Windows, AIX, HP, Sun, Linux

Affected Products

CA Service Desk 12.1

How to determine if the installation is affected

CA Service Desk 12.1

Windows Environment:

  1. Locate the files "webengine.exe" and "freeaccess.spl". The files are located in the "$NX_ROOT\bin" and "$NX_ROOT\bopcfg\www" directory respectively.

  2. Right click on each of the files and select Properties.

  3. Select the General tab.

  4. If either file timestamp is earlier than indicated in the below table, the installation is vulnerable.
File Name Timestamp Size Size on disk
webengine.exe 10/30/2009 12:11:16 PM 2936832 bytes 2936832 bytes
freeaccess.spl 10/23/2009 11:24:08 AM 1010489 bytes 1011712 bytes

 

AIX Environment:

  1. Locate the files "webengine" and "freeaccess.spl". The files are located in the "$NX_ROOT/bin" and "$NX_ROOT/bopcfg/www" directory respectively.

  2. Right click on each of the files and select Properties.

  3. Select the General tab.

  4. If either file timestamp is earlier than indicated in the below table, the installation is vulnerable.
File Name Timestamp Size Size on disk
webengine 11/03/2009 4:58:00 AM 7698261 bytes 7700480 bytes
freeaccess.spl 10/26/2009 5:32:00 AM 1010490 bytes 1011712 bytes

 

HP Environment:

  1. Locate the files "webengine" and "freeaccess.spl". The files are located in the "$NX_ROOT/bin" and "$NX_ROOT/bopcfg/www" directory respectively.

  2. Right click on each of the files and select Properties.

  3. Select the General tab.

  4. If either file timestamp is earlier than indicated in the below table, the installation is vulnerable.
File Name Timestamp Size Size on disk
webengine 11/03/2009 5:25:00 AM 6635681 bytes 7700480 bytes
freeaccess.spl 10/27/2009 1:20:00 AM 6639616 bytes 1011712 bytes

 

SUN Environment:

  1. Locate the files "webengine" and "freeaccess.spl". The files are located in the "$NX_ROOT/bin" and "$NX_ROOT/bopcfg/www" directory respectively.

  2. Right click on each of the files and select Properties.

  3. Select the General tab.

  4. If either file timestamp is earlier than indicated in the below table, the installation is vulnerable.
File Name Timestamp Size Size on disk
webengine 11/03/2009 5:05:00 AM 4076264 bytes 4079616 bytes
freeaccess.spl 10/26/2009 8:23:00 AM 1010490 bytes 1011712 bytes

 

Linux Environment:

  1. Locate the files "webengine" and "freeaccess.spl". The files are located in the "$NX_ROOT/bin" and "$NX_ROOT/bopcfg/www" directory respectively.

  2. Right click on each of the files and select Properties.

  3. Select the General tab.

  4. If either file timestamp is earlier than indicated in the below table, the installation is vulnerable.
File Name Timestamp Size Size on disk
webengine 11/03/2009 4:23:00 AM 3772416 bytes 3772416 bytes
freeaccess.spl 10/26/2009 7:25:00 AM 1010490 bytes 1011712 bytes

 

Solution

CA has issued the following patches to address the vulnerability.

CA Service Desk 12.1 Windows:

RO12848

CA Service Desk 12.1 AIX:

RO12851

CA Service Desk 12.1 HP:

RO12853

CA Service Desk 12.1 Sun:

RO12857

CA Service Desk 12.1 Linux:

RO12855

Workaround

To reduce exposure, only give trusted resources analyst privilege.

References

CVE-2009-4149 - Service Desk XSS

Acknowledgement

CVE-2009-4149 - anonymous

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Support at http://support.ca.com/.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing