[NT] Computer Associates eTrust Intrusion Detection System CPImportKey DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 04/06/05

  • Next message: SecuriTeam: "[TOOL] OllyDbg Breakpoint Manager" 
    To: list@securiteam.com
Date: 6 Apr 2005 17:02:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Computer Associates eTrust Intrusion Detection System CPImportKey DoS
    ------------------------------------------------------------------------

    SUMMARY

    Computer Associates International, Inc.'s (CA) eTrust Intrusion Detection
    3.0 is "a complete session security solution that incorporates three key
    capabilities in one product: network protection, network session
    monitoring and Internet web filtering". Remote exploitation of a buffer
    overflow vulnerability in Computer Associates eTrust Intrusion Detection
    System can allow remote attackers to cause a denial of service condition.

    DETAILS

    Vulnerable Systems:
     * Computer Associates eTrust Intrusion Detection System version 3.0

    The vulnerability specifically exists due to insufficient checking on
    values passed to Microsoft's Crypto API function CPImportKey. The
    CPImportKey function determines certain buffer allocation sizes from data
    supplied in the data blob passed to CPImportKey and may be manipulated to
    cause the allocation of large buffers if wrapper functions do not validate
    the data passed to the Crypto API before calling CPImportKey. In cases
    which CPImportKey receives a size value which exceeds the mapped memory
    size, an exception is generated and the memory is never freed.

    This condition is met in the design of Computer Associates eTrust
    Intrusion Detection System and a specially crafted packet may exhaust all
    available memory resources, resulting in a denial of service.

    Analysis:
    Exploitation may allow remote attackers to cause the intrusion detection
    functionality of your network to fail, leading to undetected further
    exploitation of other machines on the network. Simple manipulation of
    fields in the header of normal remote administration traffic is all that
    is required to exploit this vulnerability. It should also be noted that
    other applications implementing similar Microsoft Crypto API functionality
    may be exploited in the same fashion.

    Workaround:
    Employ firewalls, access control lists or other TCP/UDP restriction
    mechanism to limit access to the administration port. In addition, the use
    of multiple intrusion detection products is recommended for sensitive
    networks.

    Vendor Status:
    "Computer Associates has created a workaround that prevents this component
    issue from being exploited, by validating the key received from the
    "Viewer", and dropping the connection if not valid. This update to eTrust
    Intrusion Detection is available only for versions 3.0 and 3.0 SP1, at the
    following links."

    For eTrust Intrusion Detection 3.0 customers, please go to: QO66181 (r3.0)
     
    <http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30> http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30

    For eTrust Intrusion Detection 3.0 SP1 customers, please go to: QO66178
    (r3.0 sp1)
    <http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30sp1> http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30sp1

    Disclosure Timeline:
    12/02/2004 - Initial vendor notification
    12/02/2004 - Initial vendor response
    04/05/2005 - Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:labs-no-reply@idefense.com>
    iDEFENSE Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=223&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=223&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] OllyDbg Breakpoint Manager"