July 2007

ID: 3279
Date: 26 July 2007 15:16

---

Title: 3279 - Computer Associates Security Advisories
Abstract: Description of a number of some vulnerabilities in CA products.
Vendors affected:CA
Availability of fix: Available
Type of fix: Patch
Source: CA
Reliability of source: Known
Source URL: http://www.ca.com

Title: (CAID 35527): CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability

CA Vuln ID (CAID): 35527

CA Advisory Date: 2007-07-24

Reported By: Paul Mehta of ISS X-Force

Impact: A remote attacker can execute arbitrary code.

Summary: Multiple CA products that utilize CA Message Queuing (CAM / CAFT) software contain a buffer overflow vulnerability. The vulnerability, CVE-2007-0060, is a buffer overflow that can allow a remote attacker to execute arbitrary code by sending a specially crafted message to TCP port 3104.

Mitigating Factors: None

Severity: CA has given this vulnerability a High risk rating.

Affected Versions of CA Message Queuing (CAM / CAFT):
This vulnerability affects all versions of the CA Message Queuing software prior to v1.11 Build 54_4 on the specified platforms. 
i.e. CAM versions 1.04, 1.05, 1.06, 1.07, 1.10 (prior to Build
54_4) and 1.11 (prior to Build 54_4).

Affected Products:
Advantage Data Transport 3.0
BrightStor SAN Manager 11.1, 11.5
BrightStor Portal 11.1
CleverPath OLAP 5.1
CleverPath ECM 3.5
CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0,
   4.0 SP1
Unicenter Data Transport Option 2.0
Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0,
   4.0 SP1
Unicenter TNG 2.1, 2.2, 2.4, 2.4.2
Unicenter TNG JPN 2.2

Affected Platforms:
Windows and NetWare

Platforms NOT affected:
AIX, AS/400, DG Intel, DG Motorola, DYNIX, HP-UX, IRIX, Linux Intel, Linux s/390, MVS, Open VMS, OS/2, OSF1, Solaris Intel, Solaris Sparc and UnixWare.

Status and Recommendation:
CA has made patches available for all affected products.  These patches are independent of the CA Software that installed CAM. 
Simply select the patch appropriate to the platform, and the installed version of CAM, and follow the patch application instructions.  You should also review the product home pages on SupportConnect for any additional product specific instructions.

Solutions for CAM:
Platform     Solution
Windows      QO89945
NetWare      QO89943

How to determine if you are affected:

Determining CAM versions:
Simply running camstat will return the version information in the top line of the output on any platform.  The camstat command is located in the bin subfolder of the installation directory.

The example below indicates that CAM version 1.11 build 27 increment 2 is running.

  Determining the CAM install directory:

Windows: The install location is specified by the %CAI_MSQ%
   environment variable.
Unix/Linux/Mac: The /etc/catngcampath text file holds the CAM
   install location.

Workaround:
The affected listening port can be disabled by creating or updating CAM's configuration file, CAM.CFG, with the following entry under the "*CONFIG" section:

   *CONFIG
   cas_port=0

The CA Messaging Server must be recycled in order for this to take effect.  We advise that products dependent upon CAM should be shutdown prior to recycling CAM.  Once dependent products have been shutdown, CAM can be recycled with the following commands:

   On Windows:
      camclose
      cam start

   On NetWare:
      load camclose
      load cam start

Once CAM has been restarted, any CAM dependent products that were shutdown can be restarted.

References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
Security Notice for CA Message Queuing (CAM / CAFT) vulnerability http://supportconnectw.ca.com/public/dto_transportit/infodocs/camsgquevul-secnot.asp
Solution Document Reference APARs:
QO89945, QO89943
CA Security Advisor posting:
CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149809
CA Vuln ID (CAID): 35527
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35527
Reported By: Paul Mehta of ISS X-Force
ISS X-Force advisory:
Computer Associates (CA) Message Queuing buffer overflow http://iss.net/threats/272.html
http://xforce.iss.net/xforce/xfdb/32234
CVE References:
CVE-2007-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0060
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com/.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749
 
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.

 

Title: (CAID 35525, 35526): CA Products Arclib Library Denial of Service Vulnerabilities

CA Vuln ID (CAID): 35525, 35526

CA Advisory Date: 2007-07-24

Reported By:
CVE-2006-5645 - Titon of BastardLabs and Damian Put
   <pucik at overflow dot pl> working with the iDefense VCP.
CVE-2007-3875 - An anonymous researcher working with the iDefense
   VCP.
Sergio Alvarez of n.runs AG also reported these issues.

Impact: A remote attacker can cause a denial of service.

Summary: CA products that utilize the Arclib library contain two denial of service vulnerabilities. The first vulnerability, CVE-2007-3875, is due to an application hang when processing a specially malformed CHM file. The second vulnerability, CVE-2006-5645, is due to an application hang when processing a specially malformed RAR file.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a Medium risk rating.

Affected Products:
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0,
   7.1, r8, r8.1
CA Anti-Virus 2007 (v8)
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3)
eTrust Internet Security Suite r1, r2
eTrust EZ Armor r1, r2, r3.x
CA Threat Manager for the Enterprise (formerly eTrust Integrated
   Threat Management) r8
CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus
   Gateway) 7.1
CA Protection Suites r2, r3
CA Secure Content Manager (formerly eTrust Secure Content Manager)
   1.1, 8.0
CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol)
   r8, 8.1
CA Anti-Spyware 2007
Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11,
   r11.1
BrightStor ARCserve Backup v9.01, r11 for Windows, r11.1, r11.5 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Client agent for Windows eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1 CA Common Services (CCS) r11, r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

Status and Recommendation:
CA has provided an update to address the vulnerabilities. The updated Arclib library is provided in automatic content updates with most products. Ensure that the latest content update is installed. In the case where automatic updates are not available, use the following product specific instructions.

CA Secure Content Manager 1.1:
Apply QO89469.

CA Secure Content Manager 8.0:
Apply QO87114.

Unicenter Network and Systems Management (NSM) r3.0:
Apply QO89141.

Unicenter Network and Systems Management (NSM) r3.1:
Apply QO89139.

Unicenter Network and Systems Management (NSM) r11:
Apply QO89140.

Unicenter Network and Systems Management (NSM) r11.1:
Apply QO89138.

CA Common Services (CCS) r11:
Apply QO89140.

CA Common Services (CCS) r11.1:
Apply QO89138.

CA Anti-Virus Gateway 7.1:
Apply QO89381.

eTrust Intrusion Detection 2.0 SP1:
Apply QO89474.

eTrust Intrusion Detection 3.0:
Apply QO86925.

eTrust Intrusion Detection 3.0 SP1:
Apply QO86923.

CA Protection Suites r2:
Apply updates for CA Anti-Virus 7.1.

BrightStor ARCserve Backup and BrightStor ARCserve Client agent for Windows:

Manually replace the arclib.dll file with the one provided in the CA Anti-Virus 7.1 fix set.

1. Locate and rename the existing arclib.dll file.
2. Download the CA Anti-Virus 7.1 patch that matches the host
   operating system.
3. Unpack the patch and place the arclib.dll file in directory
   where the existing arclib.dll file was found in step 1.
4. Reboot the host.

CA Anti-Virus 7.1 (non Windows):

T229327 – Solaris – QO86831
T229328 – Netware – QO86832
T229329 – MacPPC – QO86833
T229330 – MacIntel – QO86834
T229331 – Linux390 – QO86835
T229332 – Linux – QO86836
T229333 – HP-UX – QO86837

CA Anti-Virus 7.1 (Windows):

T229337 – NT (32 bit) – QO86843
T229338 – NT (AMD64) – QO86846

CA Threat Manager for the Enterprise r8.1 (non Windows):

T229334 – Linux – QO86839
T229335 – Mac – QO86828
T229336 – Solaris – QO86829

How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file “arclib.dll”. By
   default, the file is located in the
   “C:\Program Files\CA\SharedComponents\ScanEngine” directory(*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the table
   below, the installation is vulnerable.

File Name    File Version
arclib.dll   7.3.0.9

*For eTrust Intrusion Detection 2.0 the file is located in “Program Files\eTrust\Intrusion Detection\Common”, and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in “Program Files\CA\Intrusion Detection\Common”.

For CA Anti-Virus r8.1 on non-Windows:
Use the compver utility provided on the CD to determine the version of arclib.dll. The same version information above applies.

Workaround: None

References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
Security Notice for CA Products Containing Arclib http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot.asp
Solution Document Reference APARs:
QO89469, QO87114, QO89141, QO89139, QO89140, QO89138, QO89140, QO89138, QO89381, QO89474, QO86925, QO86923, QO86831, QO86832, QO86833, QO86834, QO86835, QO86836, QO86837, QO86843, QO86846, QO86839, QO86828, QO86829 CA Security Advisor posting:
CA Products Arclib Library Denial of Service Vulnerabilities
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149847
CA Vuln ID (CAID): 35525, 35526
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35525
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35526
Reported By:
CVE-2006-5645 - Titon of BastardLabs and Damian Put
   <pucik at overflow dot pl> working with the iDefense VCP.
CVE-2007-3875 - An anonymous researcher working with the iDefense
   VCP.
Sergio Alvarez of n.runs AG also reported these issues.
iDefense advisories:
Computer Associates AntiVirus CHM File Handling DoS Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=567
Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=439
CVE References:
CVE-2006-5645, CVE-2007-3875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3875
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com/.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749
 
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.

 

Title: (CAID 35524): eTrust Intrusion Detection caller.dll Vulnerability

CA Vuln ID (CAID): 35524

CA Advisory Date: 2007-07-24

Reported By: Sebastian Apelt working with the iDefense VCP

Impact: A remote attacker can execute arbitrary code.

Summary: CA eTrust Intrusion Detection contains a vulnerability associated with the caller.dll ActiveX control. The vulnerability, CVE-2007-3302, is due to the caller.dll ActiveX control being marked safe for scripting. An attacker, who can lure a user into visiting a malicious website, can potentially gain complete control of an affected installation.

Mitigating Factors:
1) Attack can only be executed if victim is using a web browser.
2) Attacker must trick victim into visiting a malicious web page.
3) Malicious code will be executed with privileges of currently
   logged in user.

Severity: CA has given this vulnerability a High risk rating.

Affected Products:
eTrust Intrusion Detection 3.0
eTrust Intrusion Detection 3.0 SP1

Affected Platforms:
Windows

Status and Recommendation:
CA has provided updates to address the vulnerabilities.

eTrust Intrusion Detection 3.0 - apply QO89893

eTrust Intrusion Detection 3.0 SP1 - apply QO89881

How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file “caller.dll”. By
   default, the file is located in the
   “C:\Program Files\CA\eTrust Intrusion Detection\Common”
   directory.
2. Right click on the file and select Properties.
3. For eTrust Intrusion Detection 3.0 SP1, select the Version tab,
   or, for eTrust Intrusion Detection 3.0, select the General tab.
4. If the file version or date is earlier than indicated in the
   table below, the installation is vulnerable.

File        Release  File Version  File Date, Size
caller.dll  3.0      NA            7/13/2007, 32768 bytes
caller.dll  3.0 SP1  3.0.5.81      NA

Workaround:
As a workaround solution, set the kill bit on the caller.dll ActiveX control.

Note: Before proceeding, review the following Microsoft knowledge base article on disabling ActiveX controls:
http://support.microsoft.com/kb/240797

1. Using the registry editor, navigate to HKEY_LOCAL_MACHINE\
   SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
   {41266C21-18D8-414B-88C0-8DCA6C25CEA0}. If the key does not
   exist, create it.
2. Create a DWORD value named "Compatibility Flags" with a value
   data of 0x00000400.
3. Restart Internet Explorer.

References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
Security Notice for eTrust Intrusion Detection caller.dll Vulnerability http://supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp
Solution Document Reference APARs:
QO89893, QO89881
CA Security Advisor posting:
CA eTrust Intrusion Detection caller.dll vulnerability
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149811
CA Vuln ID (CAID): 35524
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35524
Reported By: Sebastian Apelt working with the iDefense VCP iDefense advisory:
Computer Associates eTrust Intrusion Detection CallCode ActiveX Control Code Execution Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=568
CVE References:
CVE-2007-3302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3302
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com/.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749
 
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.

 

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.