Computer Associates eTrust Intrusion Detection

[Mobo]

Remote exploitation of a buffer overflow vulnerability in Computer Associates eTrust Intrusion Detection System can allow remote attackers to cause a denial of service condition.

The vulnerability specifically exists due to insufficient checking on values passed to Microsoft's Crypto API function CPImportKey. The CPImportKey function determines certain buffer allocation sizes from data supplied in the data blob passed to CPImportKey and may be manipulated to cause the allocation of large buffers if wrapper functions do not validate the data passed to the Crypto API before calling CPImportKey. In cases which CPImportKey receives a size value which exceeds the mapped memory size, an exception is generated and the memory is never freed.

This condition is met in the design of Computer Associates eTrust Intrusion Detection System and a specially crafted packet may exhaust all available memory resources, resulting in a denial of service.

III. ANALYSIS

Exploitation may allow remote attackers to cause the intrusion detection functionality of your network to fail, leading to undetected further exploitation of other machines on the network. Simple manipulation of fields in the header of normal remote administration traffic is all that is required to exploit this vulnerability. It should also be noted that other applications implementing similar Microsoft Crypto API functionality may be exploited in the same fashion.

IV. DETECTION

Computer Associates eTrust Intrusion Detection System 3.0 has been confirmed vulnerable.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction mechanism to limit access to the administration port. In addition, the use of multiple intrusion detection products is recommended for sensitive networks.

VI. VENDOR RESPONSE

"Computer Associates has created a workaround that prevents this component issue from being exploited, by validating the key received from the "Viewer", and dropping the connection if not valid. This update to eTrust Intrusion Detection is available only for versions 3.0 and 3.0 SP1, at the following links."

For eTrust Intrusion Detection 3.0 customers, please go to:
QO66181 (r3.0)
http://supportconnectw.ca.com/premium/etrust/
etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30

For eTrust Intrusion Detection 3.0 SP1 customers, please go to: QO66178 (r3.0 sp1)
http://supportconnectw.ca.com/premium/etrust/
etrust_intrusion/downloads/eid-solpatch_r30.asp#rel30sp1