iDEFENSE Security Advisory 04.05.05: Computer Associates eTrust Intrusion Detection System CPImportKey DoS
Computer Associates eTrust Intrusion Detection System CPImportKey
Denial of Service Vulnerability
iDEFENSE Security Advisory 04.05.05
www.idefense.com/application/poi/display?id=223&type=vulnerabilities
April 05, 2005
I. BACKGROUND
Computer Associates International, Inc.'s (CA) eTrust Intrusion
Detection 3.0 is a complete session security solution that incorporates
three key capabilities in one product: network protection, network
session monitoring and Internet web filtering. More information is
available at:
http://www3.ca.com/Solutions/Product.asp?ID=163
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability in Computer
Associates eTrust Intrusion Detection System can allow remote attackers
to cause a denial of service condition.
The vulnerability specifically exists due to insufficient checking on
values passed to Microsoft's Crypto API function CPImportKey. The
CPImportKey function determines certain buffer allocation sizes from
data supplied in the data blob passed to CPImportKey and may be
manipulated to cause the allocation of large buffers if wrapper
functions do not validate the data passed to the Crypto API before
calling CPImportKey. In cases which CPImportKey receives a size value
which exceeds the mapped memory size, an exception is generated and the
memory is never freed.
This condition is met in the design of Computer Associates eTrust
Intrusion Detection System and a specially crafted packet may exhaust
all available memory resources, resulting in a denial of service.
III. ANALYSIS
Exploitation may allow remote attackers to cause the intrusion
detection functionality of your network to fail, leading to undetected
further exploitation of other machines on the network. Simple
manipulation of fields in the header of normal remote administration
traffic is all that is required to exploit this vulnerability. It
should also be noted that other applications implementing similar
Microsoft Crypto API functionality may be exploited in the same fashion.
IV. DETECTION
Computer Associates eTrust Intrusion Detection System 3.0 has been
confirmed vulnerable.
V. WORKAROUND
Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to the administration port. In addition, the
use of multiple intrusion detection products is recommended for
sensitive networks.
VI. VENDOR RESPONSE
"Computer Associates has created a workaround that prevents this
component issue from being exploited, by validating the key received
from the "Viewer", and dropping the connection if not valid. This update
to eTrust Intrusion Detection is available only for versions 3.0 and 3.0
SP1, at the following links."
For eTrust Intrusion Detection 3.0 customers, please go to:
QO66181 (r3.0)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/
eid-solpatch_r30.asp#rel30
For eTrust Intrusion Detection 3.0 SP1 customers, please go to:
QO66178 (r3.0 sp1)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/
eid-solpatch_r30.asp#rel30sp1
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
12/02/2004 Initial vendor notification
12/02/2004 Initial vendor response
04/05/2005 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright (c) 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@xxxxxxxxxxxx for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.