SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   eTrust Antivirus Vendors:   CA
eTrust Antivirus Bugs in Arclib Library Let Remote Users Deny Service
SecurityTracker Alert ID:  1018450
SecurityTracker URL:  http://securitytracker.com/id/1018450
CVE Reference:   CVE-2006-5645, CVE-2007-3875   (Links to External Site)
Updated:  Jul 26 2007
Original Entry Date:  Jul 25 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.0, 7.1, r8, r8.1
Description:   A vulnerability was reported in eTrust Antivirus and other CA products. A remote user can cause denial of service conditions.

A remote user can send a specially crafted CHM or RAR file to cause the target application to hang.

The following CA products and versions are affected:

CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0, 7.1, r8, r8.1
CA Anti-Virus 2007 (v8)
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3)
eTrust Internet Security Suite r1, r2
eTrust EZ Armor r1, r2, r3.x
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1
CA Protection Suites r2, r3
CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1, 8.0
CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) r8, 8.1
CA Anti-Spyware 2007
Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11, r11.1
BrightStor ARCserve Backup v9.01, r11 for Windows, r11.1, r11.5
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Client agent for Windows
eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1
CA Common Services (CCS) r11, r11.1
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

Titon of BastardLabs and Damian Put reported these vulnerabilities to iDefense. Sergio Alvarez of n.runs AG separately reported these vulnerabilities to the vendor.

Impact:   A remote user can cause the target application to hang.
Solution:   The vendor has issued the following fixes.

CA Anti-Virus 7.1 (non Windows):

T229327 Solaris QO86831
T229328 Netware QO86832
T229329 MacPPC QO86833
T229330 MacIntel QO86834
T229331 Linux390 QO86835
T229332 Linux QO86836
T229333 HP-UX QO86837

CA Anti-Virus 7.1 (Windows):

T229337 NT (32 bit) QO86843
T229338 NT (AMD64) QO86846

The CA advisory is available at:

http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot.asp

Vendor URL:  supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot.asp (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: [CAID 35525, 35526]: CA Products Arclib Library Denial of 
Service Vulnerabilities

CA Vuln ID (CAID): 35525, 35526

CA Advisory Date: 2007-07-24

Reported By:
CVE-2006-5645 - Titon of BastardLabs and Damian Put 
   <pucik at overflow dot pl> working with the iDefense VCP.
CVE-2007-3875 - An anonymous researcher working with the iDefense 
   VCP.
Sergio Alvarez of n.runs AG also reported these issues.

Impact: A remote attacker can cause a denial of service.

Summary: CA products that utilize the Arclib library contain two 
denial of service vulnerabilities. The first vulnerability, 
CVE-2007-3875, is due to an application hang when processing a 
specially malformed CHM file. The second vulnerability, 
CVE-2006-5645, is due to an application hang when processing a 
specially malformed RAR file.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a Medium risk rating.

Affected Products:
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0, 
   7.1, r8, r8.1
CA Anti-Virus 2007 (v8)
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3)
eTrust Internet Security Suite r1, r2
eTrust EZ Armor r1, r2, r3.x
CA Threat Manager for the Enterprise (formerly eTrust Integrated 
   Threat Management) r8
CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus 
   Gateway) 7.1
CA Protection Suites r2, r3
CA Secure Content Manager (formerly eTrust Secure Content Manager) 
   1.1, 8.0
CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) 
   r8, 8.1
CA Anti-Spyware 2007
Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11, 
   r11.1
BrightStor ARCserve Backup v9.01, r11 for Windows, r11.1, r11.5
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Client agent for Windows
eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1
CA Common Services (CCS) r11, r11.1
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

Status and Recommendation:
CA has provided an update to address the vulnerabilities. The 
updated Arclib library is provided in automatic content updates 
with most products. Ensure that the latest content update is 
installed. In the case where automatic updates are not available, 
use the following product specific instructions.

CA Secure Content Manager 1.1:
Apply QO89469.

CA Secure Content Manager 8.0:
Apply QO87114.

Unicenter Network and Systems Management (NSM) r3.0:
Apply QO89141.

Unicenter Network and Systems Management (NSM) r3.1:
Apply QO89139.

Unicenter Network and Systems Management (NSM) r11:
Apply QO89140.

Unicenter Network and Systems Management (NSM) r11.1:
Apply QO89138.

CA Common Services (CCS) r11:
Apply QO89140.

CA Common Services (CCS) r11.1:
Apply QO89138.

CA Anti-Virus Gateway 7.1:
Apply QO89381. 

eTrust Intrusion Detection 2.0 SP1:
Apply QO89474.

eTrust Intrusion Detection 3.0:
Apply QO86925.

eTrust Intrusion Detection 3.0 SP1:
Apply QO86923.

CA Protection Suites r2:
Apply updates for CA Anti-Virus 7.1.

BrightStor ARCserve Backup and BrightStor ARCserve Client agent 
for Windows:

Manually replace the arclib.dll file with the one provided in the 
CA Anti-Virus 7.1 fix set.

1. Locate and rename the existing arclib.dll file.
2. Download the CA Anti-Virus 7.1 patch that matches the host 
   operating system.
3. Unpack the patch and place the arclib.dll file in directory 
   where the existing arclib.dll file was found in step 1.
4. Reboot the host.

CA Anti-Virus 7.1 (non Windows):


CA Anti-Virus 7.1 (Windows):


CA Threat Manager for the Enterprise r8.1 (non Windows):


How to determine if you are affected:
For products on Windows:
   default, the file is located in the 
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the table 
   below, the installation is vulnerable.

File Name    File Version
arclib.dll   7.3.0.9

*For eTrust Intrusion Detection 2.0 the file is located in 
Intrusion Detection 3.0 and 3.0 sp1, the file is located in 

For CA Anti-Virus r8.1 on non-Windows:
Use the compver utility provided on the CD to determine the 
version of arclib.dll. The same version information above applies.

Workaround: None

References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
Security Notice for CA Products Containing Arclib
http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot
.asp
Solution Document Reference APARs:
QO89469, QO87114, QO89141, QO89139, QO89140, QO89138, QO89140, 
QO89138, QO89381, QO89474, QO86925, QO86923, QO86831, QO86832, 
QO86833, QO86834, QO86835, QO86836, QO86837, QO86843, QO86846, 
QO86839, QO86828, QO86829
CA Security Advisor posting: 
CA Products Arclib Library Denial of Service Vulnerabilities
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149847
CA Vuln ID (CAID): 35525, 35526
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35525
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35526
Reported By:
CVE-2006-5645 - Titon of BastardLabs and Damian Put 
   <pucik at overflow dot pl> working with the iDefense VCP.
CVE-2007-3875 - An anonymous researcher working with the iDefense 
   VCP.
Sergio Alvarez of n.runs AG also reported these issues.
iDefense advisories: 
Computer Associates AntiVirus CHM File Handling DoS Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=567
Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=439
CVE References:
CVE-2006-5645, CVE-2007-3875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3875
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a 
Vulnerability" form. 
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749
	
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFGpp9beSWR3+KUGYURAplHAJ4paEd/cX+2AxdBWfnw2zhfjAGQwACfW+mo
tCqbonQi4DvtQ9a45c65y70=
=o8Ac
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC