Important Security Notice
Unicenter Remote Control 6.0
The Computer Associates Technical Support team wishes to alert our customers about potential system security vulnerabilities that we have recently discovered regarding the following products.
|Affected products: || |
Unicenter Remote Control 6.0 GA (Build 188.8.131.52)
Unicenter Remote Control 6.0 French Version
Unicenter Remote Control 6.0 German Version
| || |
|Affected component: ||Unicenter Remote Control (URC) 6.0 Host |
System Security Vulnerability
A security vulnerability exists in the URC 6.0 Host service. The vulnerability exists because the host indirectly allows any application to be run under the same account that the host itself runs under. Since this account is typically "local system", this gives an attacker very high privileges.
To exploit this vulnerability, the attacker would require direct or remote access to the computer's desktop.
In the worst case, the attacker could run the command prompt as local system providing privileges above those intended for the user.
Denial of Service Attack
A vulnerability exists in the URC 6.0 Host service which could lead to a denial of service attack on a computer running the host.
To exploit this vulnerability, the attacker would have to bombard the host's port with bogus connection requests. The impact of this is to cause the machine to run at 100% CPU, preventing it from performing other tasks.
Affected Operating Systems: Win 95, Win 98, Win ME, Win NT, Win 2000, Win XP, Win 2003
A resolution to these problems has been published and we advise customers to apply the patch as advised by the table below:
|Unicenter Remote Control 6.0 GA (184.108.40.206) ||QO48417 / QO48929 * |
|Unicenter Remote Control 6.0 French Version ||QO49825 |
|Unicenter Remote Control 6.0 German Version ||QO49826 |
* QO48929: To update the preconfigured Unicenter Remote Control deployment packages for deployment of Unicenter Remote Control 6.0 GA (220.127.116.11)
Please note the Language certification fix, QO48974, has the system vulnerability fixes already included.