lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 5 Apr 2005 15:17:06 -0400
From: "iDEFENSE Labs" <labs-no-reply@...fense.com>
To: <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>
Subject: iDEFENSE Security Advisory 04.05.05: Computer Associates eTrust Intrusion Detection System CPImportKey DoS


Computer Associates eTrust Intrusion Detection System CPImportKey 
Denial of Service Vulnerability

iDEFENSE Security Advisory 04.05.05 
www.idefense.com/application/poi/display?id=223&type=vulnerabilities
April 05, 2005

I. BACKGROUND

Computer Associates International, Inc.'s (CA) eTrust Intrusion 
Detection 3.0 is a complete session security solution that incorporates 
three key capabilities in one product: network protection, network 
session monitoring and Internet web filtering. More information is
available at:

   http://www3.ca.com/Solutions/Product.asp?ID=163

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer 
Associates eTrust Intrusion Detection System can allow remote attackers 
to cause a denial of service condition.

The vulnerability specifically exists due to insufficient checking on 
values passed to Microsoft's Crypto API function CPImportKey. The 
CPImportKey function determines certain buffer allocation sizes from 
data supplied in the data blob passed to CPImportKey and may be 
manipulated to cause the allocation of large buffers if wrapper 
functions do not validate the data passed to the Crypto API before 
calling CPImportKey. In cases which CPImportKey receives a size value 
which exceeds the mapped memory size, an exception is generated and the 
memory is never freed. 

This condition is met in the design of Computer Associates eTrust 
Intrusion Detection System and a specially crafted packet may exhaust 
all available memory resources, resulting in a denial of service. 

III. ANALYSIS

Exploitation may allow remote attackers to cause the intrusion 
detection functionality of your network to fail, leading to undetected 
further exploitation of other machines on the network. Simple 
manipulation of fields in the header of normal remote administration 
traffic is all that is required to exploit this vulnerability. It 
should also be noted that other applications implementing similar 
Microsoft Crypto API functionality may be exploited in the same fashion.


IV. DETECTION

Computer Associates eTrust Intrusion Detection System 3.0 has been 
confirmed vulnerable.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction 
mechanism to limit access to the administration port. In addition, the 
use of multiple intrusion detection products is recommended for 
sensitive networks.

VI. VENDOR RESPONSE

"Computer Associates has created a workaround that prevents this
component issue from being exploited, by validating the key received
from the "Viewer", and dropping the connection if not valid. This update
to eTrust Intrusion Detection is available only for versions 3.0 and 3.0
SP1, at the following links."

For eTrust Intrusion Detection 3.0 customers, please go to:
QO66181 (r3.0)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/
eid-solpatch_r30.asp#rel30

For eTrust Intrusion Detection 3.0 SP1 customers, please go to:
QO66178 (r3.0 sp1)
http://supportconnectw.ca.com/premium/etrust/etrust_intrusion/downloads/
eid-solpatch_r30.asp#rel30sp1

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/02/2004  Initial vendor notification
12/02/2004  Initial vendor response
04/05/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@...fense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ