Computer Associates Inc. yesterday released a flurry of patches for a number of serious buffer overflows discovered in CA License Client/Server applications, which are distributed and run by default in most of its software.
The Computer Associates License Client/Server applications provide a method for CA products to register their licenses on the network and are distributed with almost all CA software distributions, according to an advisory by Reston, Va.-based iDefense. The CA License Server does not run by default, though the CA License Client does. eEye Digital Security Inc. in Aliso Viejo, Calif., which also claims credit for discovering some of the flaws, rated them as severe. "The licensing protocol is text-based, and all of the vulnerabilities arise due to incorrect handling of the incoming text strings," according to the company's advisory. "Successful exploitation of these vulnerabilities will allow a remote attacker to reliably execute code within the SYSTEM context.
"Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with local SYSTEM privileges," said the Computer Associates advisory. "This affects versions of the CA License software version 1.53 through version 1.61.8 on the specified platforms. Customers with these vulnerable versions should upgrade to CA License 1.61.9 or higher. CA License patches that address these issues can be downloaded." Affected platforms include:
- Linux Intel
- Linux s/390
- Apple Mac.
Invalid Command Buffer Overflow
The vulnerability is caused by insufficient bounds checking on user-supplied values in requests with an invalid format. When a packet containing an overly long string
PUTOLF Buffer Overflow
A vulnerability in the handling of the filename used in PUTOLF requests can allow the saved instruction pointer to be overwritten, allowing remote execution of arbitrary code under the privileges of Local System on Windows platforms or root on Linux platforms.
GETCONFIG Buffer Overflow
Insufficient bounds checking on user-supplied values in GETCONFIG requests can allow a remote attacker to execute arbitrary code under the privileges of Local System. iDefense said the GETCONFIG packet also contains the remote operating system's version information, which increases the likelihood of successful exploitation.
GCR Network Buffer Overflow/GCR Checksum Buffer Overflow
Insufficient bounds checking on user-supplied values in GCR requests can allow a remote attacker to execute arbitrary code under the privileges of Local System if the IP address, hostname or netmask contain large values. A GETCONFIG packet exchange which discloses the remote operating system version usually proceeds the GCR request and increases the likelihood of successful exploitation, iDefense said.
iDefense said that most CA products are likely running vulnerable versions of the client and/or server. The company recommends patching or using a firewall to only allow trusted hosts to connect to the Computer Associates License Server and Client ports.
Computer Associates says it strongly recommends the application of the appropriate CA License patch.
"We are seeing more and more critical security vulnerabilities that go beyond the Microsoft platform, as witnessed with the CA vulnerability advisory. These represent a serious threat to large organizations who must maintain business continuity," said Firas Raouf, eEye's COO. "This is definitely something that CIOs and CSOs must keep top of mind as they evaluate the security posture of their networks. Security vulnerabilities are not just a Microsoft problem -- the CA advisory is a wake up call for implementing a strict vulnerability management process that covers all OS and business application platforms."