From xforce@iss.net Wed Jan 27 13:30:00 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Mon, 25 Jan 1999 14:52:52 -0500 (EST)
Subject: ISSalert: ISS Security Advisory: Multiple vulnerabilities in ControlIT(tm)

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
January 25, 1999

Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32)
enterprise management software


Synopsis:

Internet Security Systems (ISS) X-Force discovered three vulnerabilities
in the Computer Associates ControlIT enterprise management software
package. ControlIT contains vulnerabilities that allow an attacker with
local access to a network or machine on which ControlIT operates to
obtain username and password information or reboot machines without
authorization.

ControlIT is a remote management application that allows users to have
full remote control over machines running Microsoft Windows. ControlIT is
often used in educational laboratory environments and large corporate
production environments.

Affected versions:

ISS X-Force has confirmed that this vulnerability exists in ControlIT
version 4.5. Earlier versions of ControlIT (under the name of Remotely
Possible/32) are also vulnerable.

The 'About ControlIT' item under the Window menu of ControlIT displays
version information.


Description:

Password encryption vulnerability: ControlIT does not effectively encrypt
the username or password transmission between a client and a server on a
network. Analysis of an encrypted password captured from a local network
shows that ControlIT uses a weak cryptographic process to obscure the
password transmitted over the network. Though the exact mathematical
transform is not known, a substitution table suffices to decrypt any
ControlIT password. Since ControlIT supports Windows NT native security, 
an attacker could obtain user or administrator passwords to Windows NT
machines via this vulnerability.

Reboot vulnerability: ControlIT allows remote users to either reboot the
remote machine or force the current user of the remote machine to logout.
A user must be authenticated to operate this mechanism. Another option,
configurable by the local user, allows the remote user to initiate a
reboot or logout of current user once the remote user disconnects the
session. This option triggers regardless of authentication; anybody can
connect and disconnect without authenticating to trigger the timer of
this option if it is enabled by the local user.

Access to the address book file: The ControlIT address book function
allows ControlIT users to store frequently used usernames and passwords
in a file. The passwords in this file are encrypted using the same weak
mechanism employed during remote connections. Under Windows NT, this file
has permissions of Everyone:Read, meaning any local user can read the file
and decrypt passwords.

Recommendations:

CA suggests that customers address the weak encryption problem by adding
CryptIT(tm) software to ControlIT installations since no patch to
ControlIT exists that repairs the weak encryption problem. See Computer
Associates' reply to ISS below for more information.

A patch exists for the Reboot Vulnerability, although a specific URL to
the patch is not available. This patch, #TF73073, can be obtained through
Computer Associates support at http://www.cai.com or 1-800-DIALCAI. 

A patch exists for the address book vulnerability, which disables
password storage in the ControlIT address book. Contact Computer
Associates support at the above URL or phone number to obtain this patch.

Localize ControlIT access by blocking TCP port 799 at the network
perimeter with packet filters or firewalls.


Vendor Response:

Computer Associates responded to ISS with the following reply:

Synopsis.
Computer Associates is dedicated to ensuring its products address its
customers needs, including the delivery of robust and secure remote
control solutions.  The following information is provided to ISS in
response to its advisory entitled "Multiple vulnerabilities in ControlIT
(formerly Remotely Possible/32) enterprise management software" and dated
December 2, 1998. As explained below, Computer Associates, remote control
solutions address all three points raised in the subject ISS advisory.

Password Encryption.
For Remotely Possible and ControlIT users requiring enhanced encryption,
Computer Associates provides an end-to-end encryption product called
CryptIT. CryptIT is an advanced encryption solution that does not involve
key management and is easy to deploy. CryptIT is transparent and
automatically discovers CryptIT at the other end and provides strong
encryption with DES3 and DES encryption. CryptIT with Remotely Possible or
ControlIT ensures that all network session data is completely private and
secure.

Remotely Possible and ControlIT offer "built-in" security in addition to
NT local and Domain security. For customers concerned that the NT
administrator passwords can be sniffed, the "built-in" security model
should be used as the NT usernames/passwords are not required.

Reboot Vulnerability.
Remotely Possible 4.0 and ControlIT 4.5 allow the user to enable or
disable the "reboot on disconnect" option.  By default, the product does
not reboot on disconnect.  

If the 'reboot on disconnect' is enabled, the machine will reboot if an
invalid username or password is provided. This feature was requested by
Computer Associates' customers who wanted to ensure that intruders could
not easily access a machine. 

A patch, which can be optionally installed, will be available for those
customers who prefer to disable the machine reboot option in cases of an
invalid username or password. 

Address Book Passwords.
Computer Associates offers a patch for Remotely Possible 4.0 that removes
password storage in the address book.  The user must type in the password.

ControlIT users are not required to enter the password in the address
books. If they choose to, ControlIT stores the passwords in encrypted
form. Computer Associates also offers a patch for ControlIT 4.5 that
removes password storage in the address book and requires the user to
type in the password. As usernames are typically a common ASCII string, it
would be easier for an attacker to determine the encryption algorithm and
hence determine the password if the usernames were encrypted. Therefore,
the username is not encrypted. 


Patch information:

Contact Computer Associates support at http://www.cai.com or
1-800-DIALCAI to obtain patches.


Additional Information:

ISS Internet Scanner risk assessment software and ISS RealSecure 
real-time intrusion detection software have the capability to detect 
these vulnerabilities.

The 'Data Encryption' option offered by ControlIT does not encrypt the
login/password packets in any way. This measure is not effective to avoid
these vulnerabilities.

__________

Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of X-Force.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNqy38jRfJiV99eG9AQF61wP6Akf0l/7dWJDnRqaZ3L+9Jyfo3CR5Ozwy
tmD9XXC+86bq9+8BeoWGUWS3sV8yxWfIcZ3IfypY4GKlwIF0lOnUqbkqCSyT5d0I
Xa3sSi8OZUaavvkFKwbM8K8RRE7dewCh2DmUl34bOHylMfBL5jEj5DTklqmQEhXA
UsOiEUbBrDg=
=S1PK
-----END PGP SIGNATURE-----