CAID 32896 - Computer Associates Vet Antivirus engine heap overflow
vulnerability
CA Vulnerability ID: 32896
Discovery Date: 2005/04/26
Discovered By: Alex Wheeler
Title:
Computer Associates Vet Antivirus engine heap overflow vulnerability
Impact:
Remote attackers can gain privileged access.
Summary:
Computer Associates has patched a high risk vulnerability that was
identified by Alex Wheeler. The vulnerability affects computers
leveraging our eTrust(TM) Vet Antivirus engine, and can allow an
attacker to gain control of a computer through a specially crafted
Microsoft Office document.
Severity:
Computer Associates has given this vulnerability a High risk rating.
The Vet Antivirus Engine is included in drivers, system services to
automatically scan any files that the computer may access. These
software components have privileged access to the local computer and
are started by default by our Antivirus software installation. In
the worst case scenario, a remote attacker may present a specially
crafted Microsoft Office document to a vulnerable computer for virus
scanning and gain control of the computer without any user
interaction.
Affected corporate products:
CA InoculateIT 6.0 (all platforms, including Notes/Exchange)
eTrust Antivirus r6.0 (all platforms, including Notes/Exchange)
eTrust Antivirus r7.0 (all platforms, including Notes/Exchange)
eTrust Antivirus r7.1 (all platforms, including Notes/Exchange)
eTrust Antivirus for the Gateway r7.0 (all modules and platforms)
eTrust Antivirus for the Gateway r7.1 (all modules and platforms)
eTrust Secure Content Manager (all releases)
eTrust Intrusion Detection (all releases)
BrightStor ARCserve Backup (BAB) r11.1 Windows
Affected retail products:
eTrust EZ Antivirus r6.2 - r7.0.5
eTrust EZ Armor r1.0 - r2.4.4
eTrust EZ Armor LE r2.0 - r3.0.0.14
Vet Antivirus r10.66 and below
Status:
All Computer Associates corporate products and some of our retail
products that utilize the Vet Antivirus Engine have the ability to
patch this vulnerability automatically. For these products, the
patch for this vulnerability was already rolled out as part of the
daily Vet Signature updates on May 3, 2005, and no further action
is required.
Recommendation:
To make sure your system is protected, please review the solutions
below for your specific product version.
* All corporate products - You are protected if you are running
Vet engine 11.9.1 or later. If running an earlier version,
perform a virus signature file update as soon as possible to
receive the patch.
* eTrust EZ Antivirus r7/eTrust EZ Armor r3.1 Users - You may
already be up-to-date. A new Vet engine was made available on
Tuesday, May 3rd. Automatic signature file updates should have
downloaded this update to your system. To verify the update,
please follow the instructions below:
Open eTrust EZ Antivirus (double-click on the "AV" icon in your
system tray), then select the "Help" tab on the top-right of the
screen. The engine version should be listed as 11.9.1 or later.
If it is a lower number, perform a virus signature file update [1]
immediately to receive the patch.
* eTrust EZ Antivirus r6.x Users - Upgrade to eTrust EZ Antivirus r7
as soon as possible. It takes approximately 10 minutes to
complete this process on a high-speed connection, and all users
with an active license are entitled to this upgrade for free.
Follow the link below to upgrade now.
http://consumerdownloads.ca.com/myeTrust/apps/EZAntivirus.exe
- For additional upgrade instructions, click on the appropriate
link below:
- Upgrading from r6.1 and above [2]
- Upgrading from r6.0 and earlier [3]
Unsure of your product version? Follow the link in footnote [4].
* eTrust EZ Armor r3 Users - An update will be pushed down to your
computer. During a virus signature file update, a patch will be
downloaded to your computer. The patch will require that you
reboot your computer for it to take effect. We recommend that
you reboot right away.
* eTrust EZ Armor r2.4.4 and below Users - Upgrade to eTrust EZ
Armor r3.1 as soon as possible. It takes approximately 10
minutes to complete this process on a high-speed connection and
all users with an active license are entitled to this upgrade for
free. Follow the link below to upgrade now.
http://consumerdownloads.ca.com/myeTrust/apps/EZArmor.exe
Unsure of your product version? Follow the link in footnote [4].
CVE Reference: Pending
OSVDB Reference: Pending
Advisory URLs (note that URLs below may wrap):
General:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896
Consumer:
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUME NT&openpa
rameter=1588
[1]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUME NT&openpa
rameter=61
[2]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUME NT&openpa
rameter=1907
[3]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUME NT&openpa
rameter=1911
[4]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUME NT&openpa
rameter=89
Should you require additional information, please contact CA
Technical Support at http://supportconnect.ca.com.
Respectfully,
Ken Williams ; Vulnerability Research
A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985
Computer Associates International, Inc. (CA).
One Computer Associates Plaza. Islandia, NY 11749
Contact Us http://ca.com/catalk.htm
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://ca.com
Copyright 2005 Computer Associates International, Inc.
All rights reserved