CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability

From: Williams, James K (James.Williams_at_ca.com)
Date: 05/24/05

  • Next message: Oliver Karow: "Blue Coat Reporter multiple remote vulnerabilities"
    Date: Tue, 24 May 2005 02:57:44 -0400
    To: <bugtraq@securityfocus.com>
    
    

    CAID 32896 - Computer Associates Vet Antivirus engine heap overflow
    vulnerability

    CA Vulnerability ID: 32896

    Discovery Date: 2005/04/26

    Discovered By: Alex Wheeler

    Title:
    Computer Associates Vet Antivirus engine heap overflow vulnerability

    Impact:
    Remote attackers can gain privileged access.

     
    Summary:
    Computer Associates has patched a high risk vulnerability that was
    identified by Alex Wheeler. The vulnerability affects computers
    leveraging our eTrust(TM) Vet Antivirus engine, and can allow an
    attacker to gain control of a computer through a specially crafted
    Microsoft Office document.

    Severity:
    Computer Associates has given this vulnerability a High risk rating.
    The Vet Antivirus Engine is included in drivers, system services to
    automatically scan any files that the computer may access. These
    software components have privileged access to the local computer and
    are started by default by our Antivirus software installation. In
    the worst case scenario, a remote attacker may present a specially
    crafted Microsoft Office document to a vulnerable computer for virus
    scanning and gain control of the computer without any user
    interaction.

    Affected corporate products:
    CA InoculateIT 6.0 (all platforms, including Notes/Exchange)
    eTrust Antivirus r6.0 (all platforms, including Notes/Exchange)
    eTrust Antivirus r7.0 (all platforms, including Notes/Exchange)
    eTrust Antivirus r7.1 (all platforms, including Notes/Exchange)
    eTrust Antivirus for the Gateway r7.0 (all modules and platforms)
    eTrust Antivirus for the Gateway r7.1 (all modules and platforms)
    eTrust Secure Content Manager (all releases)
    eTrust Intrusion Detection (all releases)
    BrightStor ARCserve Backup (BAB) r11.1 Windows

    Affected retail products:
    eTrust EZ Antivirus r6.2 - r7.0.5
    eTrust EZ Armor r1.0 - r2.4.4
    eTrust EZ Armor LE r2.0 - r3.0.0.14
    Vet Antivirus r10.66 and below

    Status:
    All Computer Associates corporate products and some of our retail
    products that utilize the Vet Antivirus Engine have the ability to
    patch this vulnerability automatically. For these products, the
    patch for this vulnerability was already rolled out as part of the
    daily Vet Signature updates on May 3, 2005, and no further action
    is required.

    Recommendation:
    To make sure your system is protected, please review the solutions
    below for your specific product version.

      * All corporate products - You are protected if you are running
        Vet engine 11.9.1 or later. If running an earlier version,
        perform a virus signature file update as soon as possible to
        receive the patch.

      * eTrust EZ Antivirus r7/eTrust EZ Armor r3.1 Users - You may
        already be up-to-date. A new Vet engine was made available on
        Tuesday, May 3rd. Automatic signature file updates should have
        downloaded this update to your system. To verify the update,
        please follow the instructions below:

        Open eTrust EZ Antivirus (double-click on the "AV" icon in your
        system tray), then select the "Help" tab on the top-right of the
        screen. The engine version should be listed as 11.9.1 or later.
        If it is a lower number, perform a virus signature file update [1]
        immediately to receive the patch.

      * eTrust EZ Antivirus r6.x Users - Upgrade to eTrust EZ Antivirus r7
        as soon as possible. It takes approximately 10 minutes to
        complete this process on a high-speed connection, and all users
        with an active license are entitled to this upgrade for free.
        Follow the link below to upgrade now.

        http://consumerdownloads.ca.com/myeTrust/apps/EZAntivirus.exe

        - For additional upgrade instructions, click on the appropriate
          link below:
        - Upgrading from r6.1 and above [2]
        - Upgrading from r6.0 and earlier [3]

        Unsure of your product version? Follow the link in footnote [4].

      * eTrust EZ Armor r3 Users - An update will be pushed down to your
        computer. During a virus signature file update, a patch will be
        downloaded to your computer. The patch will require that you
        reboot your computer for it to take effect. We recommend that
        you reboot right away.
           
      * eTrust EZ Armor r2.4.4 and below Users - Upgrade to eTrust EZ
        Armor r3.1 as soon as possible. It takes approximately 10
        minutes to complete this process on a high-speed connection and
        all users with an active license are entitled to this upgrade for
        free. Follow the link below to upgrade now.

        http://consumerdownloads.ca.com/myeTrust/apps/EZArmor.exe

        Unsure of your product version? Follow the link in footnote [4].

    CVE Reference: Pending

    OSVDB Reference: Pending

    Advisory URLs (note that URLs below may wrap):

    General:
    http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896

    Consumer:
    http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
    rameter=1588

    [1]
    http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
    rameter=61

    [2]
    http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
    rameter=1907

    [3]
    http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
    rameter=1911

    [4]
    http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
    rameter=89

    Should you require additional information, please contact CA
    Technical Support at http://supportconnect.ca.com.

    Respectfully,

    Ken Williams ; Vulnerability Research
    A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985

    Computer Associates International, Inc. (CA).
    One Computer Associates Plaza. Islandia, NY 11749
            
    Contact Us http://ca.com/catalk.htm
    Legal Notice http://ca.com/calegal.htm
    Privacy Policy http://ca.com
    Copyright 2005 Computer Associates International, Inc.
    All rights reserved


  • Next message: Oliver Karow: "Blue Coat Reporter multiple remote vulnerabilities"

    Relevant Pages