(CA Issues Fix for CA Internet Security Suite) CA Host-Based Intrusion Prevention System Lets Local Users Gain Kernel Privileges
SecurityTracker Alert ID: 1017556|
SecurityTracker URL: http://securitytracker.com/id/1017556
(Links to External Site)
Date: Jan 25 2007
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in CA Host-Based Intrusion Prevention System. A local user can obtain kernel-level privileges on the target system. CA Internet Security Suite is affected.|
A local user can modify certain IOCTLs callbacks to exploit flaws in the 'kmxstart.sys' and 'kmxfw.sys' drivers and execute arbitrary code on the target system with kernel-level privileges.
Ruben Santamarta discovered this vulnerability.
The original advisory is available at:
A local user can obtain kernel-level privileges on the target system.|
The vendor has issued a fix for CA Internet Security Suite, which is affected by this vulnerability.|
The fix is available via automatic update (as of January 22, 2007).
The CA advisories are available at:
Vendor URL: crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=2680 (Links to External Site)
Access control error|
|Underlying OS: Windows (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [CAID 34818]: CA Personal Firewall Multiple Privilege Escalation Vulnerabilities|
-----BEGIN PGP SIGNED MESSAGE-----
Title: [CAID 34818]: CA Personal Firewall Multiple Privilege
CA Vuln ID (CAID): 34818
CA Advisory Date: 2007-01-22
Discovered By: Reverse Mode
Impact: Local attacker can gain escalated privileges.
Summary: Multiple vulnerabilities have been discovered in CA
Personal Firewall drivers. The vulnerabilities are due to errors
in the HIPS Core (KmxStart.sys) and HIPS Firewall (KmxFw.sys)
drivers. Local attackers can exploit these vulnerabilities to gain
Mitigating Factors: Local user account required for exploitation.
Severity: CA has given these vulnerability issues a Medium risk
CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and below
CA Internet Security Suite 2007 (v3.0) with CA Personal Firewall
2007 (v9.0) Engine version 1.0.173 and below
Status and Recommendation:
CA has addressed this issue by providing a new automatic update on
January 22, 2007. Customers running one of the affected products
simply need to ensure that they have allowed this automatic update
to take place.
Determining if you are affected:
To ensure that the update has taken place, customers can view the
Help > About screen in their CA Personal Firewall product and
confirm that their engine version number is 1.0.176 or higher.
References (URLs may wrap):
CA Consumer Support Knowledge Document for this vulnerability:
Medium Risk CA Personal Firewall Vulnerability - Multiple
Privilege Escalation Vulnerabilities
Solution Document Reference APARs:
CA Security Advisor posting:
CA Personal Firewall Multiple Privilege Escalation Vulnerabilities
CAID Advisory link:
Discoverer: Reverse Mode
CVE Reference: CVE-2006-6952
OSVDB References: OSVDB ID: 30497, 30498
[Reversemode advisory] Computer Associates HIPS Drivers - multiple
local privilege escalation vulnerabilities.
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory,
please send email to email@example.com.
If you discover a vulnerability in CA products, please report
your findings to firstname.lastname@example.org, or utilize our "Submit a
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, One CA Plaza, Islandia, NY 11749
Legal Notice http://www3.ca.com/legal/
Copyright (c) 2007 CA. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
-----END PGP SIGNATURE-----