BugTraq
[CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities Jul 25 2007 12:55AM
Williams, James K (James Williams ca com)


Title: [CAID 35525, 35526]: CA Products Arclib Library Denial of

Service Vulnerabilities

CA Vuln ID (CAID): 35525, 35526

CA Advisory Date: 2007-07-24

Reported By:

CVE-2006-5645 - Titon of BastardLabs and Damian Put

<pucik at overflow dot pl> working with the iDefense VCP.

CVE-2007-3875 - An anonymous researcher working with the iDefense

VCP.

Sergio Alvarez of n.runs AG also reported these issues.

Impact: A remote attacker can cause a denial of service.

Summary: CA products that utilize the Arclib library contain two

denial of service vulnerabilities. The first vulnerability,

CVE-2007-3875, is due to an application hang when processing a

specially malformed CHM file. The second vulnerability,

CVE-2006-5645, is due to an application hang when processing a

specially malformed RAR file.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a Medium risk rating.

Affected Products:

CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0,

7.1, r8, r8.1

CA Anti-Virus 2007 (v8)

eTrust EZ Antivirus r7, r6.1

CA Internet Security Suite 2007 (v3)

eTrust Internet Security Suite r1, r2

eTrust EZ Armor r1, r2, r3.x

CA Threat Manager for the Enterprise (formerly eTrust Integrated

Threat Management) r8

CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus

Gateway) 7.1

CA Protection Suites r2, r3

CA Secure Content Manager (formerly eTrust Secure Content Manager)

1.1, 8.0

CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol)

r8, 8.1

CA Anti-Spyware 2007

Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11,

r11.1

BrightStor ARCserve Backup v9.01, r11 for Windows, r11.1, r11.5

BrightStor Enterprise Backup r10.5

BrightStor ARCserve Client agent for Windows

eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1

CA Common Services (CCS) r11, r11.1

CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

Status and Recommendation:

CA has provided an update to address the vulnerabilities. The

updated Arclib library is provided in automatic content updates

with most products. Ensure that the latest content update is

installed. In the case where automatic updates are not available,

use the following product specific instructions.

CA Secure Content Manager 1.1:

Apply QO89469.

CA Secure Content Manager 8.0:

Apply QO87114.

Unicenter Network and Systems Management (NSM) r3.0:

Apply QO89141.

Unicenter Network and Systems Management (NSM) r3.1:

Apply QO89139.

Unicenter Network and Systems Management (NSM) r11:

Apply QO89140.

Unicenter Network and Systems Management (NSM) r11.1:

Apply QO89138.

CA Common Services (CCS) r11:

Apply QO89140.

CA Common Services (CCS) r11.1:

Apply QO89138.

CA Anti-Virus Gateway 7.1:

Apply QO89381.

eTrust Intrusion Detection 2.0 SP1:

Apply QO89474.

eTrust Intrusion Detection 3.0:

Apply QO86925.

eTrust Intrusion Detection 3.0 SP1:

Apply QO86923.

CA Protection Suites r2:

Apply updates for CA Anti-Virus 7.1.

BrightStor ARCserve Backup and BrightStor ARCserve Client agent

for Windows:

Manually replace the arclib.dll file with the one provided in the

CA Anti-Virus 7.1 fix set.

1. Locate and rename the existing arclib.dll file.

2. Download the CA Anti-Virus 7.1 patch that matches the host

operating system.

3. Unpack the patch and place the arclib.dll file in directory

where the existing arclib.dll file was found in step 1.

4. Reboot the host.

CA Anti-Virus 7.1 (non Windows):

T229327 â?? Solaris â?? QO86831

T229328 â?? Netware â?? QO86832

T229329 â?? MacPPC â?? QO86833

T229330 â?? MacIntel â?? QO86834

T229331 â?? Linux390 â?? QO86835

T229332 â?? Linux â?? QO86836

T229333 â?? HP-UX â?? QO86837

CA Anti-Virus 7.1 (Windows):

T229337 â?? NT (32 bit) â?? QO86843

T229338 â?? NT (AMD64) â?? QO86846

CA Threat Manager for the Enterprise r8.1 (non Windows):

T229334 â?? Linux â?? QO86839

T229335 â?? Mac â?? QO86828

T229336 â?? Solaris â?? QO86829

How to determine if you are affected:

For products on Windows:

1. Using Windows Explorer, locate the file â??arclib.dllâ?. By

default, the file is located in the

â??C:\Program Files\CA\SharedComponents\ScanEngineâ? directory(*).

2. Right click on the file and select Properties.

3. Select the Version tab.

4. If the file version is earlier than indicated in the table

below, the installation is vulnerable.

File Name File Version

arclib.dll 7.3.0.9

*For eTrust Intrusion Detection 2.0 the file is located in

â??Program Files\eTrust\Intrusion Detection\Commonâ?, and for eTrust

Intrusion Detection 3.0 and 3.0 sp1, the file is located in

â??Program Files\CA\Intrusion Detection\Commonâ?.

For CA Anti-Virus r8.1 on non-Windows:

Use the compver utility provided on the CD to determine the

version of arclib.dll. The same version information above applies.

Workaround: None

References (URLs may wrap):

CA SupportConnect:

http://supportconnect.ca.com/

Security Notice for CA Products Containing Arclib

http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-sec
not.asp

Solution Document Reference APARs:

QO89469, QO87114, QO89141, QO89139, QO89140, QO89138, QO89140,

QO89138, QO89381, QO89474, QO86925, QO86923, QO86831, QO86832,

QO86833, QO86834, QO86835, QO86836, QO86837, QO86843, QO86846,

QO86839, QO86828, QO86829

CA Security Advisor posting:

CA Products Arclib Library Denial of Service Vulnerabilities

http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149847

CA Vuln ID (CAID): 35525, 35526

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35525

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35526

Reported By:

CVE-2006-5645 - Titon of BastardLabs and Damian Put

<pucik at overflow dot pl> working with the iDefense VCP.

CVE-2007-3875 - An anonymous researcher working with the iDefense

VCP.

Sergio Alvarez of n.runs AG also reported these issues.

iDefense advisories:

Computer Associates AntiVirus CHM File Handling DoS Vulnerability

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=567

Multiple Vendor Antivirus RAR File Denial of Service Vulnerability

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=439

CVE References:

CVE-2006-5645, CVE-2007-3875

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5645

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3875

OSVDB References: Pending

http://osvdb.org/

Changelog for this advisory:

v1.0 - Initial Release

Customers who require additional information should contact CA

Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,

please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your

findings to vuln AT ca DOT com, or utilize our "Submit a

Vulnerability" form.

URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Regards,

Ken Williams ; 0xE2941985

Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/

Legal Notice http://www.ca.com/us/legal/

Privacy Policy http://www.ca.com/us/privacy/

Copyright (c) 2007 CA. All rights reserved.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus