Title: Computer Associates iGateway debug mode HTTP GET request
buffer overflow vulnerability
CA Vulnerability ID: 33485
Discovery Date: 2005-10-06
CA Advisory Date: 2005-10-14
Discovered By: EMendoza
Impact: Remote attacker can execute arbitrary code with SYSTEM
privileges.
Summary: The Computer Associates iGateway common component, which
is included with several CA products for UNIX/Linux/Windows
platforms, contains a buffer overflow vulnerability that could
allow remote attackers to execute arbitrary code on Windows
platforms, or cause iGateway component failure (denial of
service) on UNIX and Linux. The vulnerability is due to improper
bounds checking on HTTP GET requests by the iGateway component
when debug mode is enabled.
Mitigating Factors: The potential for exploitation of this
vulnerability is very low for the following reasons.
1) A non-standard install of the iGateway component is required
to expose this vulnerability. Typically, the embedded iGateway
component is part of a non-interactive installation process.
Consequently, most systems (those that utilize the default
installation procedure) are not at risk.
2) If a non-standard install WAS performed, the iGateway
component is still unlikely to be vulnerable to this exploit,
because the flaw is only exposed if the component has been
manually configured to run with diagnostic debug tracing enabled.
Configuring the component to run in debug mode requires
administrative access to configuration files that reside on the
machine, and also requires that the iGateway service be stopped
and restarted by someone with administrative service privileges.
Configuring the iGateway service to operate in debug mode is
typically performed only at the direction of Computer Associates
support personnel who are working with a customer to troubleshoot
potential support issues.
Severity: Computer Associates has given this vulnerability a
Medium risk rating.
Affected Technologies: Please note that the iGateway component is
not a product, but rather a component that is included with
multiple products. The iGateway component is included in the
following Computer Associates products, which are consequently
potentially vulnerable. Note that iGateway component versions
less than 4.0.050615 are vulnerable to this issue.
Business Services Optimization (BSO) Products:
Advantage Data Transformer (ADT) R2.2
Harvest Change Manager R7.1
BrightStor Products:
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup for Windows r11
BrightStor Enterprise Backup 10.5
BrightStor ARCserve Backup v9.01
BrightStor ARCserve Backup Laptop & Desktop r11.1
BrightStor ARCserve Backup Laptop & Desktop r11
BrightStor Process Automation Manager r11.1
BrightStor SAN Manager r11.1
BrightStor SAN Manager r11.5
BrightStor Storage Resource Manager r11.5
BrightStor Storage Resource Manager r11.1
BrightStor Storage Resource Manager 6.4
BrightStor Storage Resource Manager 6.3
BrightStor Portal 11.1
Note to BrightStor Storage Resource Manager and BrightStor Portal
users: In addition to the application servers where these
products are installed, all hosts that have iSponsors deployed to
them for managing applications like Veritas Volume Manager and
Tivoli TSM are also affected by this vulnerability.
eTrust Products:
eTrust Audit 1.5 SP2 (iRecorders and ARIES)
eTrust Audit 1.5 SP3 (iRecorders and ARIES)
eTrust Audit 8.0 (iRecorders and ARIES)
eTrust Admin 8.0
eTrust Admin 8.1
eTrust Identity Minder 8.0
eTrust Secure Content Manager (SCM) R8
eTrust Web Service Security R8
eTrust Integrated Threat Management (ITM) R8
Unicenter Products:
Unicenter CA Web Services Distributed Management R11
Unicenter AutoSys JM R11
Unicenter Management for WebLogic / Management for WebSphere R11
Unicenter Service Delivery R11
Unicenter Service Level Management (USLM) R11
Unicenter Application Performance Monitor R11
Unicenter Service Desk R11
Unicenter Service Desk Knowledge Tools R11
Unicenter Service Fulfillment 2.2
Unicenter Service Fulfillment R11
Unicenter Asset Portfolio Management R11
Unicenter Service Matrix Analysis R11
Unicenter Service Catalog/Fulfillment/Accounting R11
Unicetner MQ Management R11
Unicenter Application Server Managmenr R11
Unicenter Web Server Management R11
Unicenter Exchange Management R11
Status and Recommendation:
As an immediate and completely effective remediation solution,
simply do not operate the iGateway component in debug diagnostic
trace mode. To ensure that you are not running iGateway in debug
mode, look for the "Debug" parameter in your igateway.conf file,
and make sure that it is set to "False"
(i.e. <Debug>False</Debug>).
We have developed iGateway updates to completely address this
vulnerability. After our QA process is completed, the updates
will be posted to our SupportConnect web site
(http://supportconnect.ca.com). Step-by-step instructions to
determine a) if customers are vulnerable, and b) how to remediate
the issue, will be posted to http://supportconnect.ca.com site as
well.
Determining your version of iGateway:
To determine the version number of the iGateway component, browse
to the igateway directory and check the version listed in the
igateway.conf file.
On windows, this is %IGW_LOC%
Default path for v3.*: C:Program FilesCAigateway
Default path for v4.*: C:Program FilesCASharedComponentsiTechnology
On unix,
Default path for v3.*: /opt/CA/igateway
Default path for v4.*: the install directory path is contained
in opt/CA/SharedComponents/iTechnology location. The default
path is /opt/CA/SharedComponents/iTechnology.
Look at the <Version> element in igateway.conf.
The versions are affected by this vulnerability if you see a
value LESS THAN the following:
<Version>4.0.050615</Version> (note the format of v.s.YYMMDD)
References:
CA Security Advisor site
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485
CVE Reference: CAN-2005-3190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3190
OSVDB Reference: OSVDB ID 19920
http://www.osvdb.org/displayvuln.php?osvdb_id=19920
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln (at) ca (dot) com [email concealed], or contact me directly.
If you discover a vulnerability in CA products, please report
your findings to vuln (at) ca (dot) com [email concealed], or utilize our "Submit a
Vulnerability" form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx
Respectfully,
Ken Williams ; Dir. Vuln Research
Computer Associates ; 0xE2941985
Computer Associates International, Inc. (CA).
One Computer Associates Plaza. Islandia, NY 11749
Contact Us http://ca.com/catalk.htm
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://ca.com
Copyright 2005 Computer Associates International, Inc.
All rights reserved