Exploit Out For CA Bugs, Eval Users Also At Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Exploit Out For CA Bugs, Eval Users Also At Risk

Users of Computer Associates' products are now at an even greater risk, a security firm says, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week.

Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week.

Even more important, said Firas Raouf, the chief operating officer of eEye Digital Security, is that ex-users of CA products -- including those who only evaluated the company's security titles, but then later uninstalled them -- are vulnerable to attack.

The vulnerabilities were first reported March 2 by Computer Associates and a pair of security vendors, eEye and Reston, Va.-based iDefense. A bug in the licensing software used in virtually every Windows, Macintosh, Linux, and Unix title from CA could allow attackers to generate buffer overflows, and from there, run code of their choice on the machines. Computer Associates released patches that same day.

"Exploits have been posted on the Internet," said Raouf, "and pretty much lay out the formula for exploiting the vulnerabilities with buffer overflows." The made-public exploits are for Windows 2000 and Windows XP, just two of the numerous operating systems that run CA's software.

"It's a pretty classic example," added Raouf. "Windows just tends to be targeted more."

While a worm hasn't been spotted that uses the exploit code to create an automated attacker, "it would be a trivial job to turn it into one," Raouf claimed.

Also on Wednesday, the Internet Storm Center reported that it had monitored a huge spike in traffic on TCP ports 10202 and 10203, both of which are used by Computer Associate's licensing software. The number of systems scanned at port 10203, for instance, jumped from just 19 on March 2 to 4,594 on March 5.

"These scans are likely due to the public release of exploit code, which was released to the public on Monday in a posting to the VulnWatch mailing list," wrote David Goldsmith on the Storm Center's analyst blog.

But eEye's Raouf said it was too early to tell whether the increased activity on those ports was actually due to the exploit, or was only proof that hackers were scanning for vulnerable systems that they might target later.

In a related development, Raouf also said that former users of CA titles could be in danger, including those who only evaluated the Islandia, NY-based software developer's products.

"In some cases, evaluation copies install the licensing software as well, and when the evaluation software's removed, the licensing manager isn't completely uninstalled," said Raouf.

eEye discovered the new problem through its own testing, said Raouf, but the Aliso Viejo, Calif.-based security vendor had not yet informed CA of its findings.

"It's going to be difficult for enterprises to spot all the systems that are vulnerable," said Raouf. "While users can go to a CA console to view all the systems which have the licensing agent installed, that won't tell them about, say, consultants' machines using the network or computers where CA products have been uninstalled, but which still have pieces of the licensing software on them."

Later Wednesday, he added, eEye will post a free-for-the-downloading scanning utility that will peek through the network and find all systems vulnerable to the CA exploit. As with earlier such scanners, it will be posted to the eEye Web site.

"CA has taken immediate action in response to the vulnerabilities discovered in a licensing component of certain CA software products, including the development and distribution of the necessary code patches," a spokesman for CA said late Wednesday. "CA worked with iDefense, eEye Digital Security and the CA Security Advisory teams to verify that the patches work properly and eliminate the reported vulnerabilities. We are continuing to work closely with our customers to make sure they are aware of these vulnerabilities and that they take appropriate corrective action. Patches have been posted to our SupportConnect web site (http://SupportConnect.ca.com), where our customers can get step-by-step instructions on how to determine if they are impacted and how to update their environment. Although there are no confirmed reports of the exploitation of these vulnerabilities, CA strongly recommends that our customers apply the patches immediately."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll