__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Security Notice for CA Products Implementing the Anti-Virus Engine June 7, 2007 16:00 GMT Number R-267 ______________________________________________________________________________ PROBLEM: There are multiple securitiy risks in CA products that implement the Anti-Virus engine. PLATFORM: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8, r8.1 CA Anti-Virus 2007 (v8) eTrust EZ Antivirus r7, r6.1 CA Internet Security Suite 2007 (v3) eTrust Internet Security Suite r1, r2 eTrust EZ Armor r1, r2, r3.x CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Protection Suites r2, r3 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0 CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1 Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11, r11.1 BrightStor ARCserve Backup r11.5,r11.1, r11 for Windows BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Common Services CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) DAMAGE: Can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Can allow a remote attacker to cause a ASSESSMENT: denial of service or possibly execute arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-267.shtml ORIGINAL BULLETIN: http://supportconnectw.ca.com/public/antivirus/infodocs/ caantivirus-securitynotice.asp CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-2864 CVE-2007-2863 ______________________________________________________________________________ [****** CA Bulletin Start ******] Security Notice for CA products implementing the Anti-Virus engine Issued: June 5th, 2007 CA's customer support is alerting customers to multiple security risks in CA products that implement the Anti-Virus engine. Two vulnerabilities exist that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued updates to address the vulnerabilities. The first vulnerability, CVE-2007-2863, is due to a stack based buffer overflow occurring when the engine processes an excessively long file name contained in a CAB file. The second vulnerability, CVE-2007-2864, is due to a stack based buffer overflow occurring when the "coffFiles" field is processed in a CAB file. In both instances, an attacker can cause a crash or possibly execute arbitrary code. Risk Rating High Affected Products CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8, r8.1 CA Anti-Virus 2007 (v8) eTrust EZ Antivirus r7, r6.1 CA Internet Security Suite 2007 (v3) eTrust Internet Security Suite r1, r2 eTrust EZ Armor r1, r2, r3.x CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Protection Suites r2, r3 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0 CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1 Unicenter Network and Systems Management (NSM) r3.0 Unicenter Network and Systems Management (NSM) r3.1 Unicenter Network and Systems Management (NSM) r11 Unicenter Network and Systems Management (NSM) r11.1 BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11 for Windows BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Common Services CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) How to determine if the installation is affected From the affected product's GUI, find the signature version. If the version is less than 30.6, then the installation is affected. Solution CA has issued content update 30.6 to address the vulnerabilities. The updated engine is provided with content updates. Ensure the latest content update is installed if the signature version is less than version 30.6. BrightStor ARCserve Backup: To update the signatures one time only, open a command window, change into the "C:\Program Files\CA\SharedComponents\ScanEngine" directory, and enter the following command: inodist /cfg inodist.ini To update on a regular schedule: Submit a GenericJob using the ARCserve Job Scheduler. Please search the BrightStor Administrator's Guide for 'Antivirus Maintenance' and follow the directions. Or Use the above command line instruction with the AT Scheduler. Workaround None References CVE-2007-2863 - CAB file long filename buffer overflow CVE-2007-2864 - CAB file coffFiles buffer overflow Acknowledgement CVE-2007-2863 - CA would like to thank an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayintiative.com) for reporting this issue. CVE-2007-2864 - CA would like to thank an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayintiative.com) for reporting this issue. Change History Version 1.0: Initial Release If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at https://www.ca.com/us/securityadvisor/vulninfo/submit.aspx [****** CA Bulletin Ends ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CA for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-257: Open Ticket Request System (OTRS) Vulnerability R-258: FLEXnet Connect 6.0 Security Patch R-259: Authentium Command Antivirus Vulnerability R-260: Security Vulnerability in Sun Java System Web Server R-261: Security Vulnerabilities in the Java Runtime Environment Image Parsing Code R-262: CREDANT Mobile Guardian Shield Vulnerability R-263: Security Vulnerability in the Logging Mechanism for Solaris Management Console (SMC) R-264: Security Vulnerability in the Authentication Mechanism for Solaris Management Console (SMC) R-265: HP Sysetm Management Homepage (SMH) Vulnerability R-266: Security Vulnerability in How xscreensaver(1) Interacts with GNOME Assistive Technology