[ISN] Exploit Out For CA Bugs, Eval Users Also At Risk

InfoSec News isn at c4i.org
Thu Mar 10 04:04:12 EST 2005 

http://informationweek.com/story/showArticle.jhtml?articleID=159400248

By Gregg Keizer 
TechWeb News 
March 9, 2005 

Users of Computer Associates' products are now at an even greater
risk, a security firm said Wednesday, because exploit code has
appeared that takes advantage of vulnerabilities disclosed last week.

Even more important, said Firas Raouf, the chief operating officer of
eEye Digital Security, is that ex-users of CA products -- including
those who only evaluated the company's security titles, but then later
uninstalled them -- are vulnerable to attack.

The vulnerabilities were first reported March 2 [1] by Computer
Associates and a pair of security vendors, eEye and Reston, Va.-based
iDefense. A bug in the licensing software used in virtually every
Windows, Macintosh, Linux, and Unix title from CA could allow
attackers to generate buffer overflows, and from there, run code of
their choice on the machines. Computer Associates released patches
that same day.

"Exploits have been posted on the Internet," said Raouf, "and pretty
much lay out the formula for exploiting the vulnerabilities with
buffer overflows." The made-public exploits are for Windows 2000 and
Windows XP, just two of the numerous operating systems that run CA's
software.

"It's a pretty classic example," added Raouf. "Windows just tends to
be targeted more."

While a worm hasn't been spotted that uses the exploit code to create
an automated attacker, "it would be a trivial job to turn it into
one," Raouf claimed.

Also on Wednesday, the Internet Storm Center reported that it had
monitored a huge spike in traffic on TCP ports 10202 and 10203, both
of which are used by Computer Associate's licensing software. The
number of systems scanned at port 10203, for instance, jumped from
just 19 on March 2 to 4,594 on March 5.

"These scans are likely due to the public release of exploit code,
which was released to the public on Monday in a posting to the
VulnWatch mailing list," wrote David Goldsmith on the Storm Center's
analyst blog.

But eEye's Raouf said it was too early to tell whether the increased
activity on those ports was actually due to the exploit, or was only
proof that hackers were scanning for vulnerable systems that they
might target later.

In a related development, Raouf also said that former users of CA
titles could be in danger, including those who only evaluated the
Islandia, NY-based software developer's products.

"In some cases, evaluation copies install the licensing software as
well, and when the evaluation software's removed, the licensing
manager isn't completely uninstalled," said Raouf.

eEye discovered the new problem through its own testing, said Raouf,
but the Aliso Viejo, Calif.-based security vendor had not yet informed
CA of its findings.

"It's going to be difficult for enterprises to spot all the systems
that are vulnerable," said Raouf. "While users can go to a CA console
to view all the systems which have the licensing agent installed, that
won't tell them about, say, consultants' machines using the network or
computers where CA products have been uninstalled, but which still
have pieces of the licensing software on them."

Later Wednesday, he added, eEye will post a free-for-the-downloading
scanning utility that will peek through the network and find all
systems vulnerable to the CA exploit. As with earlier such scanners,
it will be posted to the eEye Web site [2].

"CA has taken immediate action in response to the vulnerabilities
discovered in a licensing component of certain CA software products,
including the development and distribution of the necessary code
patches," a spokesman for CA said late Wednesday. "CA worked with
iDefense, eEye Digital Security and the CA Security Advisory teams to
verify that the patches work properly and eliminate the reported
vulnerabilities. We are continuing to work closely with our customers
to make sure they are aware of these vulnerabilities and that they
take appropriate corrective action. Patches have been posted to our
SupportConnect web site (http://SupportConnect.ca.com), where our
customers can get step-by-step instructions on how to determine if
they are impacted and how to update their environment. Although there
are no confirmed reports of the exploitation of these vulnerabilities,
CA strongly recommends that our customers apply the patches
immediately."

[1] http://www.techweb.com/wire/security/60405068 
[2] http://www.eeye.com/html/resources/downloads/audits/index.html

More information about the ISN mailing list