BugTraq
[CAID 35395, 35396]: CA Anti-Virus Engine CAB File Buffer Overflow Vulnerabilities Jun 07 2007 03:43PM
Williams, James K (James Williams ca com)


Title: [CAID 35395, 35396]: CA Anti-Virus Engine CAB File Buffer

Overflow Vulnerabilities

CA Vuln ID (CAID): 35395, 35396

CA Advisory Date: 2007-06-05

Reported By: ZDI

Impact: Remote attackers can cause a denial of service or

potentially execute arbitrary code.

Summary: CA Anti-Virus engine contains multiple vulnerabilities

that can allow a remote attacker to cause a denial of service or

possibly execute arbitrary code. CA has issued an update to

address the vulnerabilities. The first vulnerability,

CVE-2007-2863, is due to insufficient bounds checking on filenames

contained in a CAB archive. The second vulnerability,

CVE-2007-2863, is due to insufficient bounds checking on the

"coffFiles" field. By using a specially malformed CAB file, an

attacker can cause a crash or take unauthorized action on an

affected system.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a High risk rating.

Affected Products:

CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8,

r8.1

CA Anti-Virus 2007 (v8)

eTrust EZ Antivirus r7, r6.1

CA Internet Security Suite 2007 (v3)

eTrust Internet Security Suite r1, r2

eTrust EZ Armor r1, r2, r3.x

CA Threat Manager for the Enterprise (formerly eTrust Integrated

Threat Management) r8

CA Protection Suites r2, r3

CA Secure Content Manager (formerly eTrust Secure Content

Manager) 8.0

CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus

Gateway) 7.1

Unicenter Network and Systems Management (NSM) r3.0

Unicenter Network and Systems Management (NSM) r3.1

Unicenter Network and Systems Management (NSM) r11

Unicenter Network and Systems Management (NSM) r11.1

BrightStor ARCserve Backup r11.5

BrightStor ARCserve Backup r11.1

BrightStor ARCserve Backup r11 for Windows

BrightStor Enterprise Backup r10.5

BrightStor ARCserve Backup v9.01

CA Common Services

CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

Affected Platforms:

All

Status and Recommendation:

CA has issued content update 30.6 to address the vulnerabilities.

The updated engine is provided with content updates. Ensure the

latest content update is installed if the signature version is

less than version 30.6.

For BrightStor ARCserve Backup:

1. To update the signatures one time only, open a command window,

change into the "C:\Program Files\CA\SharedComponents\ScanEngine"

directory, and enter the following command:

inodist /cfg inodist.ini

2. To update on a regular schedule:

* Submit a GenericJob using the ARCserve Job Scheduler. Please

search the BrightStor Administrator's Guide for 'Antivirus

Maintenance' and follow the directions.

Or

* Use the above command line instruction with the AT Scheduler.

Workaround: None

References (URLs may wrap):

CA SupportConnect:

http://supportconnect.ca.com/

CA SupportConnect Security Notice for this vulnerability:

Security Notice for CA products implementing the Anti-Virus engine

http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secu
ritynotice.asp

CA Security Advisor posting: CA Anti-Virus Engine CAB File Buffer

Overflow Vulnerabilities

http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=144680

CAID: 35395, 35396

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35395

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35396

Reported By: ZDI

ZDI Advisory: ZDI-07-034, ZDI-07-035

http://www.zerodayinitiative.com/advisories/ZDI-07-034.html

http://www.zerodayinitiative.com/advisories/ZDI-07-035.html

CVE References: CVE-2007-2863, CVE-2007-2864

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2863

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864

OSVDB References: OSVDB-35244, OSVDB-35245

http://osvdb.org/35244

http://osvdb.org/35245

Changelog for this advisory:

v1.0 - Initial Release

Customers who require additional information should contact CA

Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,

please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your

findings to vuln AT ca DOT com, or utilize our "Submit a

Vulnerability" form.

URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Regards,

Ken Williams ; 0xE2941985

Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/

Legal Notice http://www.ca.com/us/legal/

Privacy Policy http://www.ca.com/us/privacy/

Copyright (c) 2007 CA. All rights reserved.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus