http://informationweek.com/story/showArticle.jhtml?articleID=159400248
By Gregg Keizer TechWeb News March 9, 2005 Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week. Even more important, said Firas Raouf, the chief operating officer of eEye Digital Security, is that ex-users of CA products -- including those who only evaluated the company's security titles, but then later uninstalled them -- are vulnerable to attack. The vulnerabilities were first reported March 2 [1] by Computer Associates and a pair of security vendors, eEye and Reston, Va.-based iDefense. A bug in the licensing software used in virtually every Windows, Macintosh, Linux, and Unix title from CA could allow attackers to generate buffer overflows, and from there, run code of their choice on the machines. Computer Associates released patches that same day. "Exploits have been posted on the Internet," said Raouf, "and pretty much lay out the formula for exploiting the vulnerabilities with buffer overflows." The made-public exploits are for Windows 2000 and Windows XP, just two of the numerous operating systems that run CA's software. "It's a pretty classic example," added Raouf. "Windows just tends to be targeted more." While a worm hasn't been spotted that uses the exploit code to create an automated attacker, "it would be a trivial job to turn it into one," Raouf claimed. Also on Wednesday, the Internet Storm Center reported that it had monitored a huge spike in traffic on TCP ports 10202 and 10203, both of which are used by Computer Associate's licensing software. The number of systems scanned at port 10203, for instance, jumped from just 19 on March 2 to 4,594 on March 5. "These scans are likely due to the public release of exploit code, which was released to the public on Monday in a posting to the VulnWatch mailing list," wrote David Goldsmith on the Storm Center's analyst blog. But eEye's Raouf said it was too early to tell whether the increased activity on those ports was actually due to the exploit, or was only proof that hackers were scanning for vulnerable systems that they might target later. In a related development, Raouf also said that former users of CA titles could be in danger, including those who only evaluated the Islandia, NY-based software developer's products. "In some cases, evaluation copies install the licensing software as well, and when the evaluation software's removed, the licensing manager isn't completely uninstalled," said Raouf. eEye discovered the new problem through its own testing, said Raouf, but the Aliso Viejo, Calif.-based security vendor had not yet informed CA of its findings. "It's going to be difficult for enterprises to spot all the systems that are vulnerable," said Raouf. "While users can go to a CA console to view all the systems which have the licensing agent installed, that won't tell them about, say, consultants' machines using the network or computers where CA products have been uninstalled, but which still have pieces of the licensing software on them." Later Wednesday, he added, eEye will post a free-for-the-downloading scanning utility that will peek through the network and find all systems vulnerable to the CA exploit. As with earlier such scanners, it will be posted to the eEye Web site [2]. "CA has taken immediate action in response to the vulnerabilities discovered in a licensing component of certain CA software products, including the development and distribution of the necessary code patches," a spokesman for CA said late Wednesday. "CA worked with iDefense, eEye Digital Security and the CA Security Advisory teams to verify that the patches work properly and eliminate the reported vulnerabilities. We are continuing to work closely with our customers to make sure they are aware of these vulnerabilities and that they take appropriate corrective action. Patches have been posted to our SupportConnect web site (http://SupportConnect.ca.com), where our customers can get step-by-step instructions on how to determine if they are impacted and how to update their environment. Although there are no confirmed reports of the exploitation of these vulnerabilities, CA strongly recommends that our customers apply the patches immediately." [1] http://www.techweb.com/wire/security/60405068 [2] http://www.eeye.com/html/resources/downloads/audits/index.html _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005