<<< Date Index >>>     <<< Thread Index >>>

iDEFENSE Security Advisory 04.05.05: Computer Associates eTrust Intrusion Detection System CPImportKey DoS



Computer Associates eTrust Intrusion Detection System CPImportKey 
Denial of Service Vulnerability

iDEFENSE Security Advisory 04.05.05 
www.idefense.com/application/poi/display?id=223&type=vulnerabilities
April 05, 2005

I. BACKGROUND

Computer Associates International, Inc.'s (CA) eTrust Intrusion 
Detection 3.0 is a complete session security solution that incorporates 
three key capabilities in one product: network protection, network 
session monitoring and Internet web filtering. More information is
available at:

   http://www3.ca.com/Solutions/Product.asp?ID=163

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer 
Associates eTrust Intrusion Detection System can allow remote attackers 
to cause a denial of service condition.

The vulnerability specifically exists due to insufficient checking on 
values passed to Microsoft's Crypto API function CPImportKey. The 
CPImportKey function determines certain buffer allocation sizes from 
data supplied in the data blob passed to CPImportKey and may be 
manipulated to cause the allocation of large buffers if wrapper 
functions do not validate the data passed to the Crypto API before 
calling CPImportKey. In cases which CPImportKey receives a size value 
which exceeds the mapped memory size, an exception is generated and the 
memory is never freed. 

This condition is met in the design of Computer Associates eTrust 
Intrusion Detection System and a specially crafted packet may exhaust 
all available memory resources, resulting in a denial of service. 

III. ANALYSIS

Exploitation may allow remote attackers to cause the intrusion 
detection functionality of your network to fail, leading to undetected 
further exploitation of other machines on the network. Simple 
manipulation of fields in the header of normal remote administration 
traffic is all that is required to exploit this vulnerability. It 
should also be noted that other applications implementing similar 
Microsoft Crypto API functionality may be exploited in the same fashion.


IV. DETECTION

Computer Associates eTrust Intrusion Detection System 3.0 has been 
confirmed vulnerable.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction 
mechanism to limit access to the administration port. In addition, the 
use of multiple intrusion detection products is recommended for 
sensitive networks.

VI. VENDOR RESPONSE

"Computer Associates has created a workaround that prevents this
component issue from being exploited, by validating the key received
from the "Viewer", and dropping the connection if not valid. This update
to eTrust Intrusion Detection is available only for versions 3.0 and 3.0
SP1, at the following links."

For eTrust Intrusion Detection 3.0 customers, please go to:
QO66181 (r3.0)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/
eid-solpatch_r30.asp#rel30

For eTrust Intrusion Detection 3.0 SP1 customers, please go to:
QO66178 (r3.0 sp1)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/
eid-solpatch_r30.asp#rel30sp1

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/02/2004  Initial vendor notification
12/02/2004  Initial vendor response
04/05/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.