CAs Intrusion Detection Software Vulnerable to DoS Attack

By Lisa Vaas  |  Posted 2005-04-07 Print this article Print

Updated: A flaw in CA's eTrust intrusion detection software could allow remote attackers to trigger a denial-of-service attack.

A flaw has been discovered in Computer Associates International Inc.s eTrust intrusion detection software that could allow remote attackers to trigger a denial-of-service attack. iDefense Labs, at security firm iDefense Inc., on Tuesday posted an advisory that described the vulnerability as being caused by insufficient checking on values passed to Microsoft Corp.s Crypto API function CPImportKey.
CPImportKey determines certain buffer allocation sizes from data supplied via data blob.
Attackers may manipulate CPImportKey to trigger allocation of large buffers if wrapper functions dont validate the data passed to the Crypto API before CPImportKey is called. When CPImportKey receives a size that exceeds mapped memory size, an exception is generated and memory is locked. Michael Sutton, director of iDefense, said the vulnerability was "certainly exploitable" by a savvy attacker. "We purposefully dont go out of our way to give deep details on our reports, but somebody who knew what they were doing could figure it out," said Sutton, in Reston, Va. What makes it a serious vulnerability isnt the possibility that somebody could take over a computer, Sutton said, since the flaw is merely a vulnerability to a denial of service attack. Whats of greater importance is what the attack targets: an intrusion detection system. CAs eTrust Intrusion Detection System packs three capabilities into one product: network protection, network session monitoring and Internet Web filtering. As such, it sits in the center of network security. Read more here about CAs acquisition of eTrust Cleanup. "The purpose of [an IDS] being there is to detect an attack," Sutton said. "Being able to take it out could make way for a really nasty [subsequent] attack. If you were targeting a network, yes, this would be an important first step in keeping subsequent attacks undetected. That makes it of greater importance than a typical attack. … Just because its a security product doesnt mean its immune to security vulnerabilities." iDefenses advisory suggests employing firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to eTrust Intrusion Detections administration port. Also, the advisory recommends use of multiple intrusion detection products for sensitive networks. CA, of Islandia, N.Y., has created a workaround that prevents the component issue from being exploited, by validating the key received from the viewer and dropping the connection if not valid. The update is available only for versions 3.0 and 3.0 Service Pack 1. To read more about CA launching five separate business units, click here. CA issued the following statement underscoring its quick response to the discovery of the flaw: "CA responded quickly to the vulnerabilities discovered in eTrust Intrusion Detection with appropriate patches, which are currently available on our SupportConnect site. We recommend that our customers protect themselves by downloading and applying these patches right away. We will continue working with iDefense and the rest of the security community to uncover any potential vulnerabilities in our software so that CA customers can keep their enterprise computing environments safe and secure." Customers can access updates online at CAs Web site. Editors Note: This story was updated to include comments from Computer Associates. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel