CA Message Queuing
Security Notice
Frequently Asked Questions

Last Updated: August 18, 2005

CA Message Queuing Security Notice

I have a very large environment with hundreds / thousands of machines. How do I confirm which ones have this vulnerability?

With Unicenter Asset Management, upgrade the Application Definition component to the latest version. Based on version information regarding this vulnerability, you can design reports to provide this information.

Can we install the latest CAM /CAFT versions on top of any existing CAM /CAFT installation?

By design, CAM /CAFT is upwardly compatible, however please follow the instructions provided for each product to ensure a smooth upgrade.

Do we have to stop the products relying on CAM/CAFT before installing the upgrade?

The install process will take care of stopping and starting CAM. However, to minimize any disruption you may wish to shutdown applications (please refer to the list of affected applications in the security notice) before installing the upgrade.

Can this patch be distributed using Unicenter Software Delivery (USD/SDO)?

Yes. All CAM patches mentioned above are prepared to be distributed using USD. The installation/update of CAM will produce an install log which is captured in the output tab of the software delivery job. This can be used to verify the success, or otherwise, of the job.

The installation/update of CAM will produce an install log which is captured in the output tab of the software delivery job. This can be used to verify the success, or otherwise, of the job.

Note: The USD package for CA Message Queuing uses SDRegister.exe on Windows to register the software packages. Please review the ReadMe.doc file that is included with each USD package for CA Message Queuing for the instructions on registering, delivering, and installing CA Message Queuing using USD.

Can this vulnerability be detected using Unicenter Asset Management (UAM/AMO)?

Yes. The latest Unicenter Asset Management definitions can be used to detect this vulnerability.

See UAM Tech Document ID TEC358383 for download notice.

We are running Sun-Solaris 64 bit. Will the CA Message Queuing patch work with this version?

Yes.

What is CAM/CAFT?

CAM is a messaging sub-component which provides a "store and forward" messaging framework for applications. A number of CA applications now use CAM for their messaging requirements. CAFT is an application, supplied with CAM, which utilizes CAM for file transfers. CAFT is driven by messages it receives from CAM enabled applications.

I have already installed a CAM/CAFT patch that addresses a security vulnerability. Do I need to install these new patches?

Yes, whereas earlier patches corrected certain vulnerabilities, subsequent analysis revealed further ways of exploiting these vulnerabilities that we needed to address. The latest patches address all known ways of exploiting these vulnerabilities.

How would I know that CAM is the subject of a Denial of Service (DoS) attack? In other words, how would I tell that CAM was possibly under attack?

If CAM was the subject of a DoS attack on its TCP port then you would find that it would no longer accept new TCP connections. E.g. if you tried to run the camstat command, it would fail to connect to CAM, even though CAM was running. You would see a message similar to the following:

     camstat: select failed (15) Unable to connect to CAM server

However, a camstat command run from a remote machine to this machine would show that CAM was running. E.g. running the following command on a remote machine will work:

     camstat <affected_machine_name>

CAM will not be using any additional CPU under a DoS attack. All the attack does is affect CAM's ability to accept new TCP connections from CAM clients or remote CAM servers.

At what point does the buffer overflow happen? What do we see in the Windows event log when this buffer overflow happens? Please give me details.

There will be no indication in the Event Log that a buffer overflow has occurred. The only likely sign is that the cam.exe process (or camf binary on Unix) will crash. Once the patch is installed this will no longer be a concern.

The email we received says 'Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with elevated privileges'. Please give me details (or an example) on how this happens.

A remote or local attacker may be able to send specifically formatted data to the ports on which the CA Message Queuing Server is listening and cause the process's execution stack to overflow. This overflow may cause the process which is running with system privileges to execute instructions at another place in memory. It is these instructions which are executed that may compromise a system.

The email also mentioned 'multiple vulnerability issues' - please elaborate.

This refers to the fact that there are two separate vulnerabilities:

• Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with elevated privileges.
• Potential to launch a spoof CAFT and allow arbitrary commands to be executed with elevated privileges.

Furthermore there are multiple ways to cause a buffer overrun exploit. All known exploits have been patched with the latest version of the patches.

Does the new CAM update that addresses the problem of the CAM vulnerabilities require a reboot of the OS?

Application of the CAM update should not require a reboot provided that all applications which depend upon CAM have been shutdown (please refer to the list of affected applications in the security notice). The upgrade will mark any files which are in-use for replacement at the next reboot. Please review the product specific pages for any additional upgrade details.

Are there Master Image updates for the CAM / CAFT Vulnerability patch?

Yes, where appropriate please check the appropriate product support page for image update patches available for download via SupportConnect.

We have instances of the cam.exe (or camf on Unix) module residing in directories other than the one in which CAM is installed...are they the same?

There is only one install of CAM on a system. Its location is determined as follows:

Windows: the install location is specified by the %CAI_MSQ% environment variable
Unix/Linux/Mac: the /etc/catngcampath text file holds the CAM install location

Some CA products contain copies of CAM for the purposes of sharing or distributing to other systems. Other products may contain CAM installs which will be activated if relevant functionality is enabled. In those cases, a CAM install is initiated which will establish if the installed CAM needs to be upgraded. In these situations, please be sure to follow the product specific links on the security notice page.