SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   CA Personal Firewall Vendors:   CA
(CA Issues Fix for CA Personal Firewall) CA Host-Based Intrusion Prevention System Lets Local Users Gain Kernel Privileges
SecurityTracker Alert ID:  1017557
SecurityTracker URL:  http://securitytracker.com/id/1017557
CVE Reference:   CVE-2006-6952   (Links to External Site)
Date:  Jan 25 2007
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0, engine version 1.0.173 and prior
Description:   A vulnerability was reported in CA Host-Based Intrusion Prevention System. A local user can obtain kernel-level privileges on the target system. CA Personal Firewall is affected.

A local user can modify certain IOCTLs callbacks to exploit flaws in the 'kmxstart.sys' and 'kmxfw.sys' drivers and execute arbitrary code on the target system with kernel-level privileges.

Ruben Santamarta discovered this vulnerability.

The original advisory is available at:

http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=38

Impact:   A local user can obtain kernel-level privileges on the target system.
Solution:   The vendor has issued a fix for CA Personal Firewall, which is affected by this vulnerability.

The fix is available via automatic update (as of January 22, 2007).

The CA advisories are available at:

http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=2680
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34818

Vendor URL:  crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=2680 (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 17 2006 CA Host-Based Intrusion Prevention System Lets Local Users Gain Kernel Privileges



 Source Message Contents

Subject:  [CAID 34818]: CA Personal Firewall Multiple Privilege Escalation Vulnerabilities


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: [CAID 34818]: CA Personal Firewall Multiple Privilege 
Escalation Vulnerabilities

CA Vuln ID (CAID): 34818

CA Advisory Date: 2007-01-22

Discovered By: Reverse Mode

Impact: Local attacker can gain escalated privileges.

Summary: Multiple vulnerabilities have been discovered in CA 
Personal Firewall drivers. The vulnerabilities are due to errors 
in the HIPS Core (KmxStart.sys) and HIPS Firewall (KmxFw.sys) 
drivers. Local attackers can exploit these vulnerabilities to gain 
escalated privileges.

Mitigating Factors: Local user account required for exploitation.

Severity: CA has given these vulnerability issues a Medium risk 
rating.

Affected Products:
CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and below
CA Internet Security Suite 2007 (v3.0) with CA Personal Firewall 
   2007 (v9.0) Engine version 1.0.173 and below 

Affected platforms:
Microsoft Windows

Status and Recommendation: 
CA has addressed this issue by providing a new automatic update on 
January 22, 2007. Customers running one of the affected products 
simply need to ensure that they have allowed this automatic update 
to take place.

Determining if you are affected:
To ensure that the update has taken place, customers can view the 
Help > About screen in their CA Personal Firewall product and 
confirm that their engine version number is 1.0.176 or higher.

References (URLs may wrap): 
CA SupportConnect:
http://supportconnect.ca.com/
CA Consumer Support Knowledge Document for this vulnerability:
Medium Risk CA Personal Firewall Vulnerability - Multiple 
Privilege Escalation Vulnerabilities
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&open
parameter=2680
Solution Document Reference APARs: 
N/A
CA Security Advisor posting:
CA Personal Firewall Multiple Privilege Escalation Vulnerabilities
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97729
CAID: 34818
CAID Advisory link:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34818
Discoverer: Reverse Mode
http://www.reversemode.com/index.php?option=com_content&task=view&id=2
7&Itemid=2
CVE Reference: CVE-2006-6952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6952
OSVDB References: OSVDB ID: 30497, 30498
http://osvdb.org/30497
http://osvdb.org/30498
Other References:
[Reversemode advisory] Computer Associates HIPS Drivers - multiple 
local privilege escalation vulnerabilities.
http://marc.theaimsgroup.com/?l=bugtraq&m=116379521731676&w=2

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA 
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,
please send email to vuln@ca.com.

If you discover a vulnerability in CA products, please report
your findings to vuln@ca.com, or utilize our "Submit a 
Vulnerability" form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, One CA Plaza, Islandia, NY 11749
	
Contact http://www3.ca.com/contact/
Legal Notice http://www3.ca.com/legal/
Privacy Policy http://www3.ca.com/privacy/
Copyright (c) 2007 CA. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRbft3Hklkd/ilBmFEQLH2wCeMZBQOky8s6oqrKhRERFtnH/gdYUAoJNn
bwLXu+cboC4n98Jlv9MzvAJ7
=U+Jc
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC