Date: Sat, 8 May 1999 14:58:08 +1000
From: Glenn Corbett <Glenn.Corbett@bigpond.com>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Insecure Bahaviour in Inoculan Client

Russ,

A problem has been discovered with the InocuLAN client on Windows NT
workstations. If an account lockout policy is present on a Windows NT
domain, large numbers of repeating account lockouts can occur.

Description:  Incorrect password events (event id 529) are being logged from
workstations when running applications from UNC paths. The username that
has logged the incorrect password is different to that of the logged on
user.

Configuration: Windows NT workstation SP3 or SP4, with InocuLAN V4.0(373) or
InocuLAN V4.0(375)

To reproduce the problem:
1.      Install InocuLAN V4.0(373) or V4.0(375) onto an NT workstation with
SP3 or SP4 (SP5 not tested yet)

2.      Configure InocuLAN as described below:
Options:
Direction - Incoming and Outgoing files
Action upon Virus detection - Cure File
Cure Action for Macro Viruses - Remove Infected Macros
Copy File before Cure
Rename File when Cure Fails
Rename Extension - AVB
Move Directory - C:\Inoculan\VIRUS

Protected Areas:
Protect Floppy Drives
Protect Network Drives
Protect CD-ROM Drives

Scan Type - Secure Scan

3.      Reboot the workstation

4.      Log into WorkstationA as Domain UserA, Logout Domain UserA

5.      From another workstation change the password of Domain UserA

6.      Log into WorkstationA as Domain UserB.

7.      From WorkstationA run an application from a remote share on WorkstationX
where Logon and Logoff, Success/Failure, are being audited. Run an
application from the cmd window using a UNC path with no other connections
to the WorkstationX.  Eg \\WorkstationX\shareX\notepad

8.      The application will take several seconds to run and there will be a
failure security event (529) for UserA from Workstation A.  From server
manager remotely stop the Cheyenne InocuLAN Anti-Virus Server on Workstation
A and repeat step 7.  You will see that the application will start
immediately and no errors will be recorded in the security event log.

The above problem also causes problems when running logon scripts.  If an
application is called from the logon script and that application does not
exit on the local workstation, the version in the logon share will be run.
As soon as the application in the logon script is called there is an event
529 error recorded on the logon server security event log.

Even if subsequent different users log into Workstation A, these problem
will continue until the workstation is rebooted.

This behaviour can also been seen if in Step 4, a local userA logs on. The
subsequent error 529's have the local userA account in the security event.

It appears as though InocuLAN is storing the user credentials for the first
logged on user and using them to scan network drives for virus' even when a
different user subsequently logs on until workstation reboot. It is not yet
apparent if this username / password is being stored in the registry /
temporary file or memory, and therefore open to exploit.

We do not see this problem with InocuLAN V4.0 (4.0 Service Pack 1).

CA Have been notified earlier this week, no respose as yet.

Thanks

Glenn Corbett
CRISP Project Server / Workstation Team Leader
Compaq Computer Corp, Australia.
Glenn.Corbett@compaq.com (Work)
Glenn.Corbett@bigpond.com (Private)

--------------------------------------------------------------------------------

Date: Fri, 14 May 1999 14:49:17 -0400
From: ARCNT <ARCNT@CAI.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: FW: NTBUGTRAQ response - URGENT

The issue reported to NTBUGTRAQ regarding InocuLAN v4.0 build 373 and 375
implies that username/password information is stored "somewhere" on the
client side and as such could potentially be exploited.

That assertion is inaccurate, the username/password credential combination
is NOT stored on the client side by Inoculan, (which is why the efforts to locate
these credentials in shared memory, in a file or in the registry have been 
unsuccessful).

Clearly, in order for the InocuLAN real-time scanner to access files on a remote server,
the software must have valid security contexts in place to permit the requisite access
to the file systems and files.

The techniques utilized by Inoculan (using low level, but fully documented and
supported standard vendor API's) do NOT require that traditional user
credentials (user account/ password) be presented in order to gain the necessary
access.

Rather, Inoculan is able to gain the required access in a completely
secure manner without prompting for username and password information.

In addition, it is important to point out that NO attempt to retrieve
credential data is done without the user's explicit advance knowledge and consent.

Computation/generation of the requisite credential information is done at Inoculan driver
initialization time, and can be easily refreshed by simply rebooting the machine (which of
course will in turn result in Inoculan initialization routines being invoked as part of
system restart).

The particular behaviour observed and reported can be attributed to the fact that AFTER
Inoculan initialization was completed, the user access credentials for the user in question
were modified, rendering the originally computed credential that Inoculan would otherwise
utilize, invalid.

An enhancement is being developed presently to provide a configuration setting that
will instruct the Inoculan real-time scanner to recompute credentials automatically thus
eliminating the need to reboot the client machine.

This enhancement will be available by 17:00 Eastern US time, May 21, 1999, and can be
downloaded from the standard Computer Associates support web sites, (http://support.cai.com).

We appreciate the efforts involved in bringing this issue to our attention and look forward
to being able to provide you continued responsive service in the future !

InocuLAN Technical Support

--------------------------------------------------------------------------------

Date: Fri, 21 May 1999 11:36:43 -0400
From: ARCNT <ARCNT@CAI.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: NTBUGTRAQ response - URGENT

An enhancement for the issue reported to NTBUGTRAQ regarding InocuLAN v4.0 build 373 and 375
in reference to locally computed credential information, has been made available. This enhancement
is for the Inoculan real-time scanner and will obviate the need to reinitialize the machine (reboot), that
was previously required to affect an update of locally computed credential information. The enhancement
can be downloaded from our Computer Associates support web sites at
http://support.cai.com/Download/patches/inocnt.html, and the file is called LO49393.CAZ.

Again, we appreciate the efforts involved in bringing this issue to our attention and look forward
to being able to provide you continued responsive service in the future !

Thank you.

InocuLAN Technical Support