[guru] CA biztonsagi frissitesek
DATE: Mon, 07 Apr 2008 13:22:41 +0200
Több buffer overflow hibát találtak a CA Alert Notification szerver
különböző RPC eljárásaiban. A szervert több CA termék is használja.
A CA ARCserve Backup for Laptops and Desktops szerver és a CA Desktop
Management Suite termékek több biztonsági hibát is tartalmaznak: az
LGServer nem megfelelően ellenőrzi a parancssori argumentumait, a
NetBackup szervíz nem ellenőrzi a fájl feltöltéseket. A támadó a
szervízt DoS-olhatja, vagy kódot futtathat a szerveren.
--- Begin Message ---
Title: CA Alert Notification Server Multiple Vulnerabilities
CA Advisory Date: 2008-04-03
Reported By: An anonymous researcher working with the iDefense VCP
Impact: A remote authenticated attacker can execute arbitrary code
or cause a denial of service condition.
Summary: CA Alert Notification Server service contains multiple
vulnerabilities that can allow a remote authenticated attacker to
execute arbitrary code or cause a denial of service condition. CA
has issued updates to address the vulnerabilities. The
vulnerabilities, CVE-2007-4620, are due to insufficient bounds
checking in multiple procedures. A remote authenticated attacker
or local user can exploit a buffer overflow to execute arbitrary
code or cause a denial of service.
Mitigating Factors: Remote attacker must have legitimate
authentication credentials.
Severity: CA has given these vulnerabilities a maximum risk rating
of High.
Affected Products:
CA Anti-Virus for the Enterprise 7.1
CA Threat Manager for the Enterprise (formerly eTrust Integrated
Threat Management) r8
CA Threat Manager for the Enterprise (formerly eTrust Integrated
Threat Management) r8.1
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows
Affected Platforms:
Windows
Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA Anti-Virus for the Enterprise 7.1, CA Anti-Virus for the
Enterprise r8: QO96079
CA Threat Manager for the Enterprise r8: QO96387
CA Anti-Virus for the Enterprise r8.1, CA Threat Manager for the
Enterprise r8.1: QO96080
BrightStor ARCserve Backup r11.5, BrightStor ARCserve Backup
r11.1: QO96079
BrightStor ARCserve Backup r11.0: Upgrade to 11.1 and apply the
latest patches.
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "alert.exe". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\Alert" directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the below
table, the installation is vulnerable.
Product File Version
CA Anti-Virus for the Enterprise r8.1 Alert.exe 8.1.586.0
CA Threat Manager for the Enterprise 8.1 Alert.exe 8.1.586.0
CA Threat Manager for the Enterprise r8 Alert.exe 8.0.450.0
CA Anti-Virus for the Enterprise 7.1 Alert.exe 7.1.758.0
CA Anti-Virus for the Enterprise r8 Alert.exe 7.1.758.0
BrightStor ARCserve Backup r11.5 Alert.exe 7.1.758.0
BrightStor ARCserve Backup r11.1 Alert.exe 7.1.758.0
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for Alert Notification Server
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
Solution Document Reference APARs:
QO96079, QO96387, QO96080, QO96079
CA Security Response Blog posting:
CA Alert Notification Server Multiple Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/\
ca-alert-notification-server-multiple-vulnerabilities.aspx
Reported By:
An anonymous researcher working with the iDefense VCP
CVE References:
CVE-2007-4620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4620
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a
Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.
--- End Message ---
--- Begin Message ---
Title: CA ARCserve Backup for Laptops and Desktops Server and CA
Desktop Management Suite Multiple Vulnerabilities
CA Advisory Date: 2008-04-03
Reported By: Dyon Balding of Secunia Research
Impact: A remote attacker can execute arbitrary code or cause a
denial of service condition.
Summary: CA ARCserve Backup for Laptops and Desktops Server
contains multiple vulnerabilities that can allow a remote attacker
to execute arbitrary code or cause a denial of service condition.
CA has issued updates to address the vulnerabilities. The first
issue, CVE-2008-1328, occurs due to insufficient bounds checking
on command arguments by the LGServer service. The second issue,
CVE-2008-1329, occurs due to insufficient verification of file
uploads by the NetBackup service. In most cases, an attacker can
potentially gain complete control of an affected installation.
Additionally, only a server installation of BrightStor ARCserve
Backup for Laptops and Desktops is affected. The client
installation is not affected.
Note: the previously published patches for CVE-2007-3216 and
CVE-2007-5005 did not fully address some issues.
Mitigating Factors: Client installations are not affected.
Severity: CA has given these vulnerabilities a maximum risk rating
of High.
Affected Products:
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1
CA ARCserve Backup for Laptops and Desktops r11.1
CA ARCserve Backup for Laptops and Desktops r11.0
CA Desktop Management Suite 11.2 English
CA Desktop Management Suite 11.2 localized
CA Desktop Management Suite 11.1
Affected Platforms:
Windows
Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.2
SP2: QO95512
CA ARCserve Backup for Laptops and Desktops 11.5: QO95513
CA Desktop Management Suite 11.2 English: QO95513
CA Desktop Management Suite 11.2 localized: QO95513
CA Desktop Management Suite 11.1: Upgrade to 11.1 C1.
CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to
ARCserve Backup for Laptops and Desktops version 11.1 and apply
the latest patches. QI85497
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file "rxRPC.dll". The
file can be found in the following default locations:
Product: CA ARCserve Backup for Laptops and Desktops 11.5
Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup
for Laptops & Desktops\Explorer
Product: CA ARCserve Backup for Laptops and Desktops 11.1
Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup
for Laptops & Desktops\server
Product: CA Desktop Management Suite 11.2 English
Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI
Product: CA Desktop Management Suite 11.2 localized
Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI
2. Right click on the files and select Properties.
3. Select the General tab.
4. If the file date is earlier than indicated in the below
table, the installation is vulnerable.
Product File Name File Date / Size
CA ARCserve Backup for Laptops and Desktops 11.5
rxRPC.dll February 18 2008 / 126976
CA ARCserve Backup for Laptops and Desktops 11.1
rxRPC.dll February 18 2008 / 114688
CA Desktop Management Suite 11.2 English
rxRPC.dll February 18 2008 / 126976
CA Desktop Management Suite 11.2 localized
rxRPC.dll February 18 2008 / 126976
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Backup for Laptops and Desktops
Server and CA Desktop Management Suite
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105
Solution Document Reference APARs:
QO95512, QO95513, QI85497
CA Security Response Blog posting:
CA ARCserve Backup for Laptops and Desktops Server and CA Desktop
Management Suite Multiple Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/\
ca-arcserve-backup-for-laptops-and-desktops-server-and-ca-desktop-\
management-suite-multiple-vulnerabilities.aspx
Reported By:
Dyon Balding of Secunia Research
CVE References:
CVE-2008-1328 and CVE-2008-1329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1329
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a
Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.
--- End Message ---
--- Begin Message ---
iDefense Security Advisory 04.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 03, 2008
I. BACKGROUND
Computer Associates Alert Notification Server is used by several CA
products, including eTrust Integrated Threat Management, to provide
notifications to console users.
II. DESCRIPTION
Remote exploitation of multiple buffer overflow vulnerabilities in
Computer Associates International Inc.'s Alert Notification Service may
allow an authenticated attacker to execute arbitrary code with SYSTEM
privileges.
The Alert Service is a component of multiple Computer Associates'
products. It is used to provide status updates and notifications
regarding various system events. It implements an RPC interface with
GUID 3d742890-397c-11cf-9bf1-00805f88cb72.
Multiple buffer overflows exist in the handlers for various opcodes. In
each case, unsafe library functions are used to copy attacker supplied
data into fixed size stack buffers. By making specially crafted
requests, attackers are able to cause an exploitable buffer overflow.
III. ANALYSIS
Exploitation of these vulnerabilities allows an attacker to execute
arbitrary code with SYSTEM privileges. In order to exploit these
vulnerabilities, it is necessary for an attacker to have valid domain
credentials.
IV. DETECTION
iDefense confirmed the existence of these vulnerabilities with Computer
Associates' Threat Manager for the Enterprise version 8.1. Other
products that contain the Alert Notification Service are suspected to
be vulnerable as well.
V. WORKAROUND
iDefense is currently unaware of any effective workaround for these
issues.
VI. VENDOR RESPONSE
Computer Associates has addressed these issues by providing updates.
More information is available in their advisory at the following URL.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4620 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/24/2007 Initial vendor notification
08/24/2007 Initial vendor response
04/03/2008 Coordinated public disclosure
IX. CREDIT
The discoverer of these vulnerabilities wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
--- End Message ---