CA Technologies created an update to mitigate a directory traversal vulnerability in its Unified Infrastructure Management application, according to a report with ICS-CERT.
This vulnerability, discovered by independent researcher Andrea Micalizzi working with Zero Day Initiative, is remotely exploitable.
Unified Infrastructure Management Version 8.4 Service Pack 1 and older suffers from the vulnerability.
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside the restricted directory. The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
CA Technologies is a United States-based company that maintains offices in several countries around the world, including the U.S., UK, Netherlands, Brazil, India, Germany, France, Korea, China, and Japan.
The affected product, Unified Infrastructure Management, is a web-based SCADA system. Unified Infrastructure Management software sees action primarily in the information technology sector. This product sees use primarily in the United States and Europe with a small percentage in Asia.
The Unified Infrastructure Management software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as “..” that can resolve to a location outside of that directory.
CVE-2016-5803 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
CA Technologies recommends users upgrade to UIM 8.47, which is available at the CA Support Download Center.
UIM SNAP users should upgrade to the latest version available at the CA Support Download Center.
CA Technologies has released a security notice entitled CA20161109-01: Security Notice for CA Unified Infrastructure Management.