-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: Computer Associates iGateway debug mode HTTP GET request buffer overflow vulnerability CA Vulnerability ID: 33485 Discovery Date: 2005-10-06 CA Advisory Date: 2005-10-14 Discovered By: EMendoza Impact: Remote attacker can execute arbitrary code with SYSTEM privileges. Summary: The Computer Associates iGateway common component, which is included with several CA products for UNIX/Linux/Windows platforms, contains a buffer overflow vulnerability that could allow remote attackers to execute arbitrary code on Windows platforms, or cause iGateway component failure (denial of service) on UNIX and Linux. The vulnerability is due to improper bounds checking on HTTP GET requests by the iGateway component when debug mode is enabled. Mitigating Factors: The potential for exploitation of this vulnerability is very low for the following reasons. 1) A non-standard install of the iGateway component is required to expose this vulnerability. Typically, the embedded iGateway component is part of a non-interactive installation process. Consequently, most systems (those that utilize the default installation procedure) are not at risk. 2) If a non-standard install WAS performed, the iGateway component is still unlikely to be vulnerable to this exploit, because the flaw is only exposed if the component has been manually configured to run with diagnostic debug tracing enabled. Configuring the component to run in debug mode requires administrative access to configuration files that reside on the machine, and also requires that the iGateway service be stopped and restarted by someone with administrative service privileges. Configuring the iGateway service to operate in debug mode is typically performed only at the direction of Computer Associates support personnel who are working with a customer to troubleshoot potential support issues. Severity: Computer Associates has given this vulnerability a Medium risk rating. Affected Technologies: Please note that the iGateway component is not a product, but rather a component that is included with multiple products. The iGateway component is included in the following Computer Associates products, which are consequently potentially vulnerable. Note that iGateway component versions less than 4.0.050615 are vulnerable to this issue. Business Services Optimization (BSO) Products: Advantage Data Transformer (ADT) R2.2 Harvest Change Manager R7.1 BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup 10.5 BrightStor ARCserve Backup v9.01 BrightStor ARCserve Backup Laptop & Desktop r11.1 BrightStor ARCserve Backup Laptop & Desktop r11 BrightStor Process Automation Manager r11.1 BrightStor SAN Manager r11.1 BrightStor SAN Manager r11.5 BrightStor Storage Resource Manager r11.5 BrightStor Storage Resource Manager r11.1 BrightStor Storage Resource Manager 6.4 BrightStor Storage Resource Manager 6.3 BrightStor Portal 11.1 Note to BrightStor Storage Resource Manager and BrightStor Portal users: In addition to the application servers where these products are installed, all hosts that have iSponsors deployed to them for managing applications like Veritas Volume Manager and Tivoli TSM are also affected by this vulnerability. eTrust Products: eTrust Audit 1.5 SP2 (iRecorders and ARIES) eTrust Audit 1.5 SP3 (iRecorders and ARIES) eTrust Audit 8.0 (iRecorders and ARIES) eTrust Admin 8.0 eTrust Admin 8.1 eTrust Identity Minder 8.0 eTrust Secure Content Manager (SCM) R8 eTrust Web Service Security R8 eTrust Integrated Threat Management (ITM) R8 Unicenter Products: Unicenter CA Web Services Distributed Management R11 Unicenter AutoSys JM R11 Unicenter Management for WebLogic / Management for WebSphere R11 Unicenter Service Delivery R11 Unicenter Service Level Management (USLM) R11 Unicenter Application Performance Monitor R11 Unicenter Service Desk R11 Unicenter Service Desk Knowledge Tools R11 Unicenter Service Fulfillment 2.2 Unicenter Service Fulfillment R11 Unicenter Asset Portfolio Management R11 Unicenter Service Matrix Analysis R11 Unicenter Service Catalog/Fulfillment/Accounting R11 Unicetner MQ Management R11 Unicenter Application Server Managmenr R11 Unicenter Web Server Management R11 Unicenter Exchange Management R11 Status and Recommendation: As an immediate and completely effective remediation solution, simply do not operate the iGateway component in debug diagnostic trace mode. To ensure that you are not running iGateway in debug mode, look for the "Debug" parameter in your igateway.conf file, and make sure that it is set to "False" (i.e. False). We have developed iGateway updates to completely address this vulnerability. After our QA process is completed, the updates will be posted to our SupportConnect web site (http://supportconnect.ca.com). Step-by-step instructions to determine a) if customers are vulnerable, and b) how to remediate the issue, will be posted to http://supportconnect.ca.com site as well. Determining your version of iGateway: To determine the version number of the iGateway component, browse to the igateway directory and check the version listed in the igateway.conf file. On windows, this is %IGW_LOC% Default path for v3.*: C:\Program Files\CA\igateway Default path for v4.*: C:\Program Files\CA\SharedComponents\iTechnology On unix, Default path for v3.*: /opt/CA/igateway Default path for v4.*: the install directory path is contained in opt/CA/SharedComponents/iTechnology location. The default path is /opt/CA/SharedComponents/iTechnology. Look at the element in igateway.conf. The versions are affected by this vulnerability if you see a value LESS THAN the following: 4.0.050615 (note the format of v.s.YYMMDD) References: CA Security Advisor site http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485 CVE Reference: CAN-2005-3190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3190 OSVDB Reference: OSVDB ID 19920 http://www.osvdb.org/displayvuln.php?osvdb_id=19920 Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln@ca.com, or contact me directly. If you discover a vulnerability in CA products, please report your findings to vuln@ca.com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Respectfully, Ken Williams ; Dir. Vuln Research Computer Associates ; 0xE2941985 Computer Associates International, Inc. (CA). One Computer Associates Plaza. Islandia, NY 11749 Contact Us http://ca.com/catalk.htm Legal Notice http://ca.com/calegal.htm Privacy Policy http://ca.com Copyright 2005 Computer Associates International, Inc. All rights reserved -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQ0/F4nklkd/ilBmFEQJD3wCfX9NgAlRJFZ5tY25X2JjgzkBNGZkAoJNk Ye/d+Plo0fMUDSkKRugtLISZ =TkXF -----END PGP SIGNATURE-----