// back

Computer Associates eTrust Intrusion Detection System CPImportKey DoS Vulnerability

04.05.05

BACKGROUND

Computer Associates International, Inc.'s (CA) eTrust Intrusion
Detection 3.0 is a complete session security solution that incorporates
three key capabilities in one product: network protection, network
session monitoring and Internet web filtering. More information is
available at:

   http://www3.ca.com/Solutions/Product.asp?ID=163

DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer
Associates eTrust Intrusion Detection System can allow remote attackers
to cause a denial of service condition.

The vulnerability specifically exists due to insufficient checking on
values passed to Microsoft's Crypto API function CPImportKey. The
CPImportKey function determines certain buffer allocation sizes from
data supplied in the data blob passed to CPImportKey and may be
manipulated to cause the allocation of large buffers if wrapper
functions do not validate the data passed to the Crypto API before
calling CPImportKey. In cases which CPImportKey receives a size value
which exceeds the mapped memory size, an exception is generated and the
memory is never freed.

This condition is met in the design of Computer Associates eTrust
Intrusion Detection System and a specially crafted packet may exhaust
all available memory resources, resulting in a denial of service.

ANALYSIS

Exploitation may allow remote attackers to cause the intrusion
detection functionality of your network to fail, leading to undetected
further exploitation of other machines on the network. Simple
manipulation of fields in the header of normal remote administration
traffic is all that is required to exploit this vulnerability. It
should also be noted that other applications implementing similar
Microsoft Crypto API functionality may be exploited in the same fashion.

DETECTION

Computer Associates eTrust Intrusion Detection System 3.0 has been
confirmed vulnerable.

WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to the administration port. In addition, the
use of multiple intrusion detection products is recommended for
sensitive networks.

VENDOR RESPONSE

"Computer Associates has created a workaround that prevents this
component issue from being exploited, by validating the key received
from the "Viewer", and dropping the connection if not valid. This update
to eTrust Intrusion Detection is available only for versions 3.0 and 3.0
SP1, at the following links."

For eTrust Intrusion Detection 3.0 customers, please go to:
QO66181 (r3.0)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30

For eTrust Intrusion Detection 3.0 SP1 customers, please go to:
QO66178 (r3.0 sp1)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30sp1

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0968 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

12/02/2004   Initial vendor notification
12/02/2004   Initial vendor response
04/05/2005   Coordinated public disclosure

CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

LEGAL NOTICES

Copyright © 2005 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.