SupportConnect - Security Notice for CA products implementing the Anti-Virus engine

Security Notice for CA products implementing the Anti-Virus engine

Issued: June 5th, 2007
Last updated: June 14th, 2007

CA's customer support is alerting customers to multiple security risks in CA products that implement the Anti-Virus engine. Two vulnerabilities exist that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued updates to address the vulnerabilities.

The first vulnerability, CVE-2007-2863, is due to a stack based buffer overflow occurring when the engine processes an excessively long file name contained in a CAB file.

The second vulnerability, CVE-2007-2864, is due to a stack based buffer overflow occurring when the "coffFiles" field is processed in a CAB file.

In both instances, an attacker can cause a crash or possibly execute arbitrary code.

Risk Rating

High

Affected Products

CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0, 7.1, r8, r8.1
CA Anti-Virus 2007 (v8)
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3)
eTrust Internet Security Suite r1, r2
eTrust EZ Armor r1, r2, r3.x
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
CA Protection Suites r2, r3
CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1, 8.0
CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1
Unicenter Network and Systems Management (NSM) r3.0
Unicenter Network and Systems Management (NSM) r3.1
Unicenter Network and Systems Management (NSM) r11
Unicenter Network and Systems Management (NSM) r11.1
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Backup v9.01
eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1
CA Common Services
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

How to determine if the installation is affected

From the affected product's GUI, find the signature version. If the version is less than 30.6, then the installation is affected.

Alternatively, on Windows, check the version of vete.dll. The file is located by default in the "C:\Program Files\CA\SharedComponents\ScanEngine" directory. If the version is less than 30.6, then the installation is affected.

Solution

CA has issued content update 30.6 to address the vulnerabilities. The updated engine is provided with content updates. Ensure the latest content update is installed if the signature version is less than version 30.6.

For BrightStor ARCserve Backup:

  1. To update the signatures one time only, open a command window, change into the “C:\Program Files\CA\SharedComponents\ScanEngine” directory, and enter the following command:

    inodist /cfg inodist.ini

  2. To update on a regular schedule:

    • Submit a GenericJob using the ARCserve Job Scheduler. Please search the BrightStor Administrator's Guide for 'Antivirus Maintenance' and follow the directions.

      Or

    • Use the above command line instruction with the AT Scheduler.

Workaround

None

References

CVE-2007-2863 - CAB file long filename buffer overflow

CVE-2007-2864 - CAB file coffFiles buffer overflow

Acknowledgement

CVE-2007-2863 - CA would like to thank an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayinitiative.com) for reporting this issue.

CVE-2007-2864 - CA would like to thank an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayinitiative.com) for reporting this issue.

Change History

Version 1.2: Added eSCM version 1.1

Version 1.1: Added additional instructions on how to determine the vete.dll version on Windows. Revised affected product listing; added Anti-Virus Enterprise 7.0, 7.1 and eTrust Intrusion Detection.

Version 1.0: Initial Release

If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at https://www.ca.com/us/securityadvisor/vulninfo/submit.aspx.