CAs Intrusion Detection Software Vulnerable to DoS Attack

Updated: A flaw in CA's eTrust intrusion detection software could allow remote attackers to trigger a denial-of-service attack.

A flaw has been discovered in Computer Associates International Inc.s eTrust intrusion detection software that could allow remote attackers to trigger a denial-of-service attack.

iDefense Labs, at security firm iDefense Inc., on Tuesday posted an advisory that described the vulnerability as being caused by insufficient checking on values passed to Microsoft Corp.s Crypto API function CPImportKey.

CPImportKey determines certain buffer allocation sizes from data supplied via data blob.

Attackers may manipulate CPImportKey to trigger allocation of large buffers if wrapper functions dont validate the data passed to the Crypto API before CPImportKey is called.

When CPImportKey receives a size that exceeds mapped memory size, an exception is generated and memory is locked.

Michael Sutton, director of iDefense, said the vulnerability was "certainly exploitable" by a savvy attacker. "We purposefully dont go out of our way to give deep details on our reports, but somebody who knew what they were doing could figure it out," said Sutton, in Reston, Va.

What makes it a serious vulnerability isnt the possibility that somebody could take over a computer, Sutton said, since the flaw is merely a vulnerability to a denial of service attack. Whats of greater importance is what the attack targets: an intrusion detection system.

CAs eTrust Intrusion Detection System packs three capabilities into one product: network protection, network session monitoring and Internet Web filtering. As such, it sits in the center of network security.

/zimages/4/28571.gifRead more here about CAs acquisition of eTrust Cleanup.

"The purpose of [an IDS] being there is to detect an attack," Sutton said. "Being able to take it out could make way for a really nasty [subsequent] attack. If you were targeting a network, yes, this would be an important first step in keeping subsequent attacks undetected. That makes it of greater importance than a typical attack. … Just because its a security product doesnt mean its immune to security vulnerabilities."

iDefenses advisory suggests employing firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to eTrust Intrusion Detections administration port. Also, the advisory recommends use of multiple intrusion detection products for sensitive networks.

CA, of Islandia, N.Y., has created a workaround that prevents the component issue from being exploited, by validating the key received from the viewer and dropping the connection if not valid.

The update is available only for versions 3.0 and 3.0 Service Pack 1.

/zimages/4/28571.gifTo read more about CA launching five separate business units, click here.

CA issued the following statement underscoring its quick response to the discovery of the flaw: "CA responded quickly to the vulnerabilities discovered in eTrust Intrusion Detection with appropriate patches, which are currently available on our SupportConnect site. We recommend that our customers protect themselves by downloading and applying these patches right away. We will continue working with iDefense and the rest of the security community to uncover any potential vulnerabilities in our software so that CA customers can keep their enterprise computing environments safe and secure."

Customers can access updates online at CAs Web site.

Editors Note: This story was updated to include comments from Computer Associates.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.