__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Computer Associates License Manager Remote Vulnerabilities [CA License Security Notice] March 3, 2005 18:00 GMT Number P-150 ______________________________________________________________________________ PROBLEM: Several security vulnerabilities have been identified in Computer Associates License software. The Licensing software allows for the remote management and tracking of software licenses. SOFTWARE: CA License package version between v1.53 and v1.61.8 PLATFORM: AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows and Apple Mac DAMAGE: All of the vulnerabilities, discovered by eEye Digital Security and iDEFENSE, are due to incorrect handling of incoming text strings by the licensing protocol. This may lead to buffer overflows or a directory traversal attack. SOLUTION: Apply the security update. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Exploiting the vulnerabilities will allow a ASSESSMENT: remote attacker to execute code with root or system privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-150.shtml ORIGINAL BULLETIN: http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp ADDITIONAL LINKS: eEye Digital Security AD20050302 http://www.eeye.com/html/research/advisories/AD20050302.html Secunia Advisory SA14438 http://secunia.com/advisories/14438/ CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-0581 CAN-2005-0582 CAN-2005-0583 ______________________________________________________________________________ [***** Start CA License Security Notice *****] CA License Security Notice Attention CA Customers: License Patches Are Now Available To Address Buffer Overflows Working closely with eEye Digital Security® and iDEFENSE, the CA Customer Support team has resolved multiple vulnerability issues recently discovered in the CA License software. Both eEye and iDEFENSE have confirmed that these vulnerabilities have been properly addressed. CA has made patches available to any affected license users. Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with local SYSTEM privileges. This affects versions of the CA License software v1.53 through v1.61.8 on the specified platforms. Customers with these vulnerable versions should upgrade to CA License 1.61.9 or higher. CA License patches that address these issues can be downloaded from http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp. CA strongly recommends the application of the appropriate CA License patch. Affected products: The vulnerability exists if the CA License package version on the system is between v1.53 and v1.61.8. Affected platforms: AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows and Apple Mac. Determining CA License versions: 1. Obtain the CA License package version: Windows: The CA license package version can be obtained by checking the file version of lic98version.exe. Right click on lic98version.exe, choose Properties, and then select the Version tab. Unix/Linux/Mac: Run lic98version from a command prompt to print out the version number and/or write it to lic98version.log. OR 2. Obtain the version of the vulnerable file: If the lic98version file does not exist on the system (which may be the case with older versions of the license package), check the version of the affected file itself: Windows: Obtain the version of lic98rmt.exe by right-clicking on the file, choosing Properties, and then selecting the Version tab. The vulnerability exists if the version is between 0.1.0.15 and 1.4.6. Unix/Linux/Mac: Run strings licrmt | grep BUILD from a command prompt. The following string format will be returned: "LICAGENT BUILD INFO = /x.x.x/ Apr 16 2003/17:13:35", Where x.x.x is the file version. The vulnerability exists if this file version is between v1.0.15 thru v1.4.6. Note the following default license install directories: Windows: C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC Unix/Linux/Mac: /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic Should you require additional information, please contact CA Customer Support: North America (for individual product hotlines) Internationally (for individual country offices) [***** End CA License Security Notice *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Computer Associates for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-140: AWStats Vulnerabilities P-141: HP Web-enabled Management Software Vulnerability P-142: XPDF/GPDF - CUPS Vulnerabilities P-143: Security Vulnerability in the kcms_configure(1) Command P-144: Cisco ACNS Denial of Service and Default Admin Password Vulnerabilities P-145: HP-UX rpc.ypupdated Remote Unauthorized Access P-146: bsmtpd P-147: HP-UX ftpd Remote Unauthorized Access P-148: Symantec SMTP Binding Configuration Vulnerability P-149: Firefox Security Update