__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN CA Anti-Virus for the Enterprise Securitiy Notice [CA AV Sec Notice 050807] May 14, 2007 18:00 GMT Number R-241 ______________________________________________________________________________ PROBLEM: There are multiple security risks affecting CA Anti-Virus for the Enteprise, CA Threat Manager, and CA Anti-Spyware. PLATFORM: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Threat Manager (formerly eTrust Integrated Threat Management) r8 CA Anti-Spyware for the Enterprise (formerly eTrust PestPatrol) r8 CA Protection Suites r3 DAMAGE: Can allow a remote attacker to cause a denial of service condition or possibly execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Vulnerability may allow remote attacker to ASSESSMENT: execute arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-241.shtml ORIGINAL BULLETIN: http://supportconnectw.ca.com/public/antivirus/infodocs/ caav-secnotice050807.asp CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-2522 CVE-2007-2523 ______________________________________________________________________________ [***** Start CA AV Sec Notice 050807 *****] CA Anti-Virus for the Enterprise CA Threat Manager CA Anti-Spyware Security Notice Last Updated: May 12, 2007 CA's customer support is alerting customers to multiple security risks affecting CA Anti-Virus for the Enterprise, CA Threat Manager, and CA Anti-Spyware. Two vulnerabilities exist that can allow a remote attacker to cause a denial of service condition or possibly execute arbitrary code. CA has issued an update to address the vulnerabilities. The first vulnerability, CVE-2007-2522, is due to insufficient bounds checking on Console Server login credentials. A remote attacker can use carefully constructed authentication credentials to cause a stack based buffer overflow, which can potentially result in arbitrary code execution. The second vulnerability, CVE-2007-2523, is due to insufficient bounds checking in InoCore.dll. A local attacker can modify the contents of a file mapping to cause a stack based buffer overflow, which can potentially result in arbitrary code execution. This issue only affects CA Anti-Virus for the Enterprise and CA Threat Manager. Mitigating Factors For CVE-2007-2522, the vulnerability applies only to an installation on the x86 platform with the Console Server installed. Risk Rating High Affected Products CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Threat Manager (formerly eTrust Integrated Threat Management) r8 CA Anti-Spyware for the Enterprise (formerly eTrust PestPatrol) r8 CA Protection Suites r3 How to determine if the installation is affected Using Windows Explorer, locate the files "InoWeb.exe" and "InoCore.dll". By default, the files are located in the "C:\Program Files\CA\eTrustITM" directory. Right click on each of the files and select Properties. Select the Version tab (or the Details tab if you are using Windows Vista). If either file version is earlier than indicated in the below table, the installation is vulnerable. File Name File Version InoWeb.exe 8.0.448.0 InoCore.dll 8.0.448.0 Solution CA has issued an update to address the vulnerabilities. The patched files are available as part of the product's automatic content update. The following components must be enabled in order to receive these updates: eTrust ITM Console Server for InoWeb.exe and eTrust ITM Common for InoCore.dll. Workaround In the instance where updating the product is not immediately feasible, the following workaround can be used as a temporary measure to reduce exposure. For CVE-2007-2522, filter access to TCP port 12168. References CVE-2007-2522 Console Server authentication credential buffer overflow CVE-2007-2523 File mapping buffer overflow Acknowledgement CVE-2007-2522 - Tenable Network Security, working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayintiative.com) CVE-2007-2523 - binagres, working with iDefense (labs.idefense.com) Change History Version 1.0: Initial Release Version 1.1: Modified Affected Products section to include CA Protection Suites r3 Version 1.2: Corrected step 3 in How to determine if the installation is affected If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at http://www3.ca.com/us/securityadvisor/vulninfo/submit.aspx. [***** End CA AV Sec Notice 050807 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CA for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-231: Vulnerabilities in Microsoft Word R-232: Vulnerability in Microsoft Office R-233: Cumulative Security Update for Internet Explorer R-234: Vulnerability in CAPICOM R-235: PHP Security Update R-236: ldap-account-manager-- multiple vulnerabilities R-237: Trend Micro ServerProtect EarthAgent Vulnerability R-238: VIM Security Update R-239: Multiple Vulnerabilities in the IOS FTP Server R-240: Samba Security Update