[NEWS] Computer Associates iGateway Debug Mode Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 11/06/05

  • Next message: SecuriTeam: "[NT] FileZilla Server Terminal Buffer Overflow" 
    To: list@securiteam.com
Date: 6 Nov 2005 15:06:15 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Computer Associates iGateway Debug Mode Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Computer Associates iGateway contains a buffer overflow vulnerability that
    allows remote attackers to execute arbitrary code.

    DETAILS

    Vulnerable Systems:
     * iGateway component versions 4.0.050615 and prior
     * BrightStor ARCserve Backup version r11.5
     * BrightStor ARCserve Backup version r11.1
     * BrightStor ARCserve Backup for Windows version r11
     * BrightStor Enterprise Backup version 10.5
     * BrightStor ARCserve Backup version 9.01
     * BrightStor ARCserve Backup Laptop & Desktop version r11.1
     * BrightStor ARCserve Backup Laptop & Desktop version r11
     * BrightStor Process Automation Manager version r11.1
     * BrightStor SAN Manager version r11.1
     * BrightStor SAN Manager version r11.5
     * BrightStor Storage Resource Manager version r11.5
     * BrightStor Storage Resource Manager version r11.1
     * BrightStor Storage Resource Manager version 6.4
     * BrightStor Storage Resource Manager version 6.3
     * BrightStor Portal version 11.1
     * eTrust Audit version 1.5 SP2 (iRecorders and ARIES)
     * eTrust Audit version 1.5 SP3 (iRecorders and ARIES)
     * eTrust Audit version 8.0 (iRecorders and ARIES)
     * eTrust Admin version 8.0
     * eTrust Admin version 8.1
     * eTrust Identity Minder version 8.0
     * eTrust Secure Content Manager (SCM) version R8
     * eTrust Web Service Security version R8
     * eTrust Integrated Threat Management (ITM) version R8
     * Unicenter CA Web Services Distributed Management version R11
     * Unicenter AutoSys JM version R11
     * Unicenter Management for WebLogic / Management for WebSphere version
    R11
     * Unicenter Service Delivery version R11
     * Unicenter Service Level Management (USLM) version R11
     * Unicenter Application Performance Monitor version R11
     * Unicenter Service Desk version R11
     * Unicenter Service Desk Knowledge Tools version R11
     * Unicenter Service Fulfillment version 2.2
     * Unicenter Service Fulfillment version R11
     * Unicenter Asset Portfolio Management version R11
     * Unicenter Service Matrix Analysis version R11
     * * Unicenter Service Catalog/Fulfillment/Accounting version R11
     * Unicetner MQ Management version R11
     * Unicenter Application Server Managmenr version R11
     * Unicenter Web Server Management version R11
     * Unicenter Exchange Management version R11

    The Computer Associates iGateway common component, which is included with
    several CA products for UNIX/Linux/Windows platforms, contains a buffer
    overflow vulnerability that could allow remote attackers to execute
    arbitrary code on Windows platforms, or cause iGateway component failure
    (denial of service) on UNIX and Linux. The vulnerability is due to
    improper bounds checking on HTTP GET requests by the iGateway component
    when debug mode is enabled.

    A non-standard install of the iGateway component is required to expose
    this vulnerability. Typically, the embedded iGateway component is part of
    a non-interactive installation process.
    Consequently, most systems (those that utilize the default installation
    procedure) are not at risk.

    If a non-standard install WAS performed, the iGateway component is still
    unlikely to be vulnerable to this exploit, because the flaw is only
    exposed if the component has been manually configured to run with
    diagnostic debug tracing enabled.

    Configuring the component to run in debug mode requires administrative
    access to configuration files that reside on the machine, and also
    requires that the iGateway service be stopped and restarted by someone
    with administrative service privileges.

    Configuring the iGateway service to operate in debug mode is typically
    performed only at the direction of Computer Associates support personnel
    who are working with a customer to troubleshoot potential support issues.

    Workaround:
    Do not operate the iGateway component in debug diagnostic trace mode. To
    ensure that you are not running iGateway in debug mode, look for the
    "Debug" parameter in your igateway.conf file, and make sure that it is set
    to "False" (i.e. <Debug>False</Debug>).

    To determine the version number of the iGateway component, browse to the
    igateway directory and check the version listed in the igateway.conf file.

    On Windows, this is %IGW_LOC%
    Default path for v3.*: C:\Program Files\CA\igateway
    Default path for v4.*: C:\Program Files\CA\SharedComponents\iTechnology

    On UNIX,
    Default path for v3.*: /opt/CA/igateway
    Default path for v4.*: the install directory path is contained in
    opt/CA/SharedComponents/iTechnology location. The default path is
    /opt/CA/SharedComponents/iTechnology.

    Look at the <Version> element in igateway.conf.

    The versions are affected by this vulnerability if you see a value LESS
    THAN the following:
    <Version>4.0.050615</Version> (note the format of v.s.YYMMDD)

    Vendor Status:
    The vendor has issued a fix for the issue available at:
    <http://supportconnect.ca.com> http://supportconnect.ca.com

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3190>
    CAN-2005-3190

    OSVDB Information:
     <http://www.osvdb.org/displayvuln.php?osvdb_id=19920>
    http://www.osvdb.org/displayvuln.php?osvdb_id=19920

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:James.Williams@ca.com>
    Williams, James K.
    The original article can be found at:
    <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485>
    http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] FileZilla Server Terminal Buffer Overflow"

    Relevant Pages