CA License
Security Notice
Frequently Asked Questions

I have a very large environment with hundreds / thousands of machines. How do I confirm which ones have this vulnerability?

With Unicenter Asset Management, upgrade the Application Definition component to the latest version. Based on version information regarding the Licensing vulnerability, you can design reports to provide this information.

Can we install the latest licensing version on top of any existing licensing installation?

Yes, by design, licensing is upwardly compatible.

Do we have to stop the products relying on the licensing system before installing the upgrade?

No.

What if the patch cannot be downloaded due to a firewall?

Until it can be downloaded it is best to open the Windows Services console, check if there is a service named CA License Client running and stop or disable the service if it is running. This will prevent the vulnerability as well.

What does the client do if they cannot determine the version of licensing from any of the links/suggestions provided?

If this is the case, it is likely a very old version of CA Licensing that is on the system. These older versions are not vulnerable. To be certain, it is best to open the Windows Services console, check if there is a service named CA License Client running and stop or disable the service if it is running.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

Do Unicenter NSM agents (windows, unix, linux boxes) need that license mechanism?

Some NSM agents may not require the license mechanism but other CA products installed may require the software. If unsure please check the following file to determine if affected.

If lic98rmt.exe (windows) or licrmt (unix/linux/apple) is dated March 2003 or earlier then the system is NOT vulnerable. If lic98rmt.exe (windows) or licrmt (unix/linux) is dated January 2005 or newer (later) then the system is also NOT vulnerable. If you do not see any of these files then the system is also NOT vulnerable. If lic98rmt.exe (windows) or licrmt (unix/linux) is in the date range of April 2003 through December 2004 then the system is vulnerable.

The default installation directories are:
Windows: C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC
Unix/Linux/Mac: /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

Can this patch be distributed using Unicenter Software Delivery (USD/SDO)?

Yes. Software delivery packages are available. USD packages can be downloaded at the following ftp link: ftp://ftp.ca.com/pub/License98/LicenseIT/lic98_v161/USD_Package/.

Note: The USD package for CA License uses SDRegister.exe on Windows to register the software packages. Please review the ReadMe.doc file that is included with each USD package for CA License for the instructions on registering, delivering, and installing CA License using USD. If not already downloaded, you will also need to download the license package at the license patch download link below before installing via USD.
http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp

Can this vulnerability be detected using Unicenter Asset Management (UAM/AMO)?

Yes. The latest AMO definitions can be used to detect this vulnerability.

See UAM Tech Document ID: TEC358383 for download notice.

We have servers running outside of our company firewall. What ports are affected by this vulnerability?

For servers outside the firewall we strongly recommend closing ports 10202, 10203 and 10204.

Does this affect my mainframe products?

Only if running Linux on Mainframe (s/390). CA's mainframe products (except for Linux) use a completely different licensing scheme. The only mainframe platform affected is Linux s/390.

Does this vulnerability issue affect products running on OpenVMS?

This Security issue is not on ANY OpenVMS systems.

We are running Sun-Solaris 64 bit. Will the license patch work with this version?

Yes.

I tried strings licrmt | grep BUILD but it gives no output. What does this mean?

If lic98rmt.exe (windows) or licrmt (unix/linux/apple) is dated March 2003 or earlier then the system is NOT vulnerable. If lic98rmt.exe (windows) or licrmt (unix/linux) is dated January 2005 or newer (later) then the system is also NOT vulnerable. If you do not see any of these files then the system is also NOT vulnerable. If lic98rmt.exe (windows) or licrmt (unix/linux) is in the date range of April 2003 thru December 2004 then the system is vulnerable.

The default installation directories are:
Windows: C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC
Unix/Linux/Mac: /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

What are this lic98rmt & lic98version exe files? What do they do?

Lic98rmt.exe is the CA License Client and it runs as a Windows service. Its purpose is to track product usage and CA product license information throughout a network. The lic98version.exe file is a simple executable whose purpose is to indicate the version of the CA license package installed on a system. Double-click on this file to generate a lic98version.log file which lists the version of each individual file that is part of CA licensing.

At what condition does the buffer overflow happen? What do we see in the Windows event log when this buffer overflow happens? Please give me details.

There will be no indication in the Event Log that a buffer overflow has occurred. The only likely sign is that the lic98rmt.exe process will crash. Once the patch is installed this will no longer be a concern.

The email we received says 'Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with local SYSTEM privileges'. Please give me details (or an example) on how this happens.

A remote or local attacker may be able to send specifically formatted data to the ports on which the CA License Client is listening and cause the process's execution stack to overflow. This overflow may cause the process which is running with system privileges to execute instructions at another place in memory. It is these instructions which are executed that may compromise a system.

The email also mentioned 'multiple vulnerability issues' - please elaborate.

This simply refers to the fact that there are multiple ways to cause a buffer overrun exploit. All known exploits have been patched with the latest version of the package.

When trying to obtain the version of lic98rmt.exe by right-clicking on the file, choosing Properties, and then selecting the version tab there isn't one. What could be the problem?

Older versions of lic98rmt.exe do not have version information built into them so they do not have a version tab. These older versions of the file are, however, not vulnerable.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

The version information is not present in lic98rmt.exe so how do I know what version I have?

This is the case with very old versions of lic98rmt.exe. These versions are not vulnerable.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

Is there another way to determine vulnerability?

If lic98rmt.exe (windows) or licrmt (unix/linux/apple) is dated March 2003 or earlier then the system is NOT vulnerable. If lic98rmt.exe (windows) or licrmt (unix/linux) is dated January 2005 or newer (later) then the system is also NOT vulnerable. If you do not see any of these files then the system is also NOT vulnerable. If lic98rmt.exe (windows) or licrmt (unix/linux) is in the date range of April 2003 through December 2004 then the system is vulnerable.

The default installation directories are:
Windows: C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC
Unix/Linux/Mac: /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

I am attempting to determine what version of the CA Licensing Package that I am running based on the information provided at the following URL:
http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp.

On Windows I do not have the lic98version.exe or the lic98rmt.exe in either the C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC directories.

On UNIX the command "strings licrmt | grep BUILD" run from /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic does not return any version information.

How do I determine the version of the CA Licensing Package that I am running?

On Windows the lic98version.exe gives information on multiple files and their individual versions. The instructions for checking the lic98rmt.exe file only gives you the version for that specific file. To determine the full/generic CA Licensing Package version you should do the following:
right click on the lic98.dll and then click on the version tab. The file version will be listed towards the top of the Version tab. The version will have a "0." in front of it. For example: 0.1.57.1 In this example, the CA Licensing Package version is v1.57.1.

The lic98.dll will exists in either the C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC directory.

On UNIX if no version information is returned then the CA Licensing Package is older than v1.53 and therefore does not have this version information contained in the binary.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

Does the New Licensing update that addresses the problem of CA License vulnerability require a reboot of the OS?

No.

Is there a program available that I could use to check if a server is vulnerable?

Yes, the following program CalicVulnUtil.exe and CalicVulnUtil can be used to check if a server (Windows, Unix, Linux) is vulnerable.
CalicVulnUtil.exe and CalicVulnUtil can be download from ftp link below.
ftp://ftp.ca.com/pub/License98/LicenseIT/lic98_v161/CalicVulnUtil/

There are no arguments required for CalicVulnUtil(exe) as displayed in the USAGE info below. The return codes are also displayed and returned to the caller. The program output can be redirected to a file if a log file is needed by issuing "CalicVulnUtil > output.log".

Display usage with /?

C:\>CalicVulnUtil /?

CALIC vulnerability detection – Date xx 200x

[-] CalicVulnUtil (exe): used to determine if a system has a vulnerable CA License 
  package installed.

[-] USAGE:
  CalicVulnUtil (exe) requires no arguments

[-] RETURN VALUES:
  0 - system has been patched and is not vulnerable
  1 - system is vulnerable and should be patched
  2 - system is not vulnerable but it should be upgraded
  3 - system does not have CA licensing installed
  other - refer to Windows system error values

Sample Outputs
C:\>CalicVulnUtil
CALIC vulnerability detection - Mar  9 2005

[-] License registry key found
[-] InstallPathNew found: C:\CA_LIC\
[-] C:\CA_LIC\\lic98rmt.exe is v0.1.4.7
[+] COMPLETE: RC=0 - system has been patched and is not vulnerable

C:\>calicvulnutil
CALIC vulnerability detection - Mar  9 2005

[-] License registry key found
[-] InstallPathNew found: C:\CA_LIC\
[-] C:\CA_LIC\\lic98rmt.exe is v0.1.0.15
[+] COMPLETE: RC=1 - system is vulnerable and must be upgraded to v1.61.9

Why are the versions of lic98rmt.exe and lic98version.exe different?

lic98version.exe is the version of a license package as a whole. This file will always increment version as license packages are released. The version of lic98rmt.exe is just the version of the CA License Client Service, which is the vulnerable file in this case. For example, if lic98version.exe is version 1.61.2 and lic98rmt.exe is version 1.3.1, then you have CA Licensing package 1.61.2 and CA License Client 1.3.1. lic98version.exe exists in CA Licensing packages1.57.0 and later. Because it is not present in previous versions, you must sometimes refer to the version of lic98rmt.exe to determine vulnerability status.

This also applies to Unix and Linux where licrmt and lic98version are the files in question. Note that lic98version exists in CA Licensing 1.55.0 and later on Unix and Linux.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

Is there a Unicenter NSM Master Image update for the CA License Vulnerability patch?

Yes, Below are the available Unicenter NSM master image update patches available for download via SupportConnect.

NSM 3.1 QO65153 Windows
NSM 3.0 0211 QO65155 Windows
CCS 3.0 0307 QO65154 Windows

Note: Unix/Linux NSM 3.1 master image updates are available upon request and will be published soon.

We have instances of this lic98rmt.exe module showing up in the DTS\temp folder and under Windows or Winnt folders....the size of this modules is only 72KB as opposed to the 142KB for the module in CA_LIC folder...are they the same?

The 72KB ones are very old and do not contain the vulnerability.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

We have Software delivery 4.0 SP1, AMO 4.0 SP1, and RCO 6.0 SP1 installed on about 10,500 client machines, but they do not have the lic98rmt.exe module installed in the folders indicated in the vulnerability bulletin. Do they have to be patched too?

Probably not. But it would be a good idea to ensure that there is nothing listening on port 10203 or 10204 though and that the CA License Client Service is not started.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

By default, eAC installs that file as licrmt.org. That means the licensing client never run unless it is renamed to licrmt. So default installations are not vulnerable? Please confirm.

Some products installed the license client under a different name to avoid another process starting without user knowledge. Unless the file is renamed to licrmt the file is not vulnerable.

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

How will this process be started (Licrmt)? Is there any start up script and what is its name? If not, please explain, how it is started.

When a license check is done by the CA product, the licrmt process gets started. If there is no licrmt file present then nothing gets started.

Are there any scanning tools available to review my environment for machines affected by this vulnerability?

CA has provided utilities to analyze available machines and has provided AMO definitions to reduce the effort required to detect any affected systems. Additionally, CA is aware that some third party vendors are providing scanning utilities that allow companies to detect affected systems. While CA cannot endorse third party products, for your convenience, we are listing links for those vendors that have made us aware of available scanning tools:

http://www.eeye.com/html/spo/20050309.html
http://www.iss.net/download/
http://www.nessus.org/plugins/index.php?view=single&id=17307

Note: You can use the Utility for Checking Vulnerability to check if server is vulnerable.

For clients running NT 4.0, Lic98rmt.exe CA License Client service generates the following Application error after upgrade to CA License package v1.61.9.

"The procedure entry point ChangeServiceConfig2A could not be located in the dynamic link library ADVAPI32.dll"

This error is limited to Windows NT 4.0 environments only and does not impact normal product or system operation. The error occurs since Windows NT 4.0 service configuration does not support a description entry field. The problem has been corrected in CA License package v1.61.11 which is located at the ftp location below.

To remediate these systems, please download the licensing update from the following link:

ftp://ftp.ca.com/pub/License98/LicenseIT/lic98_v161/v1_61_11

Please note, further product updates will not be available for the NT 4.0 environment. This platform is no longer supported by the OS vendor. For greatest operational stability and for continued support, clients are urged to update to a supported environment.

I run silent.exe on a Windows 2000 SP4 or Windows Server 2003 machine. The CA Licensing package does not get installed. In other words, the CA_LIC directory does not have a lic98version.exe file or it has a lower version of lic98version.exe than what I installed. Why does this happen?

This can occur if the "Impersonate a client after authentication" user right does not include the Administrators group. To check that the user right has the Administrators group, do the following:

1. Browse to Start -> Control Panel -> Administrative Tools -> Local Security Policy.
2. Click on User Rights Assignment.
3. Add the Administrators group to the "Impersonate a client after authentication" user right.
4. Logoff and log back on.
5. Run the CA Licensing install with silent.exe.

Sometimes the CA License vulnerability patch deployment from Unicenter Software Delivery(USD) is not successful although the USD reports the job is completed. The problem may occur when there is an active logged in user on the target machine that does not have administrator privileges. Patch deployments which are only dependent on the return code from silent.exe may also be affected. Please see PIB QI71912.

The problem resides with InstallShield 8 packaged within CA License 1.61.X. It is addressed in the future CA License version 1.62.X which invokes InstallShield 10.

To work around this problem, users can logoff the NON-Admin users as part of the USD job before the CA Licensing deployment.

It has been our recommendation that users verify the CA license vulnerability before and after the deployment of the patch to ensure that patch was installed successfully.

Vulnerability can be verified as documented in the initial license vulnerability notice:
http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp.

Licensing vulnerability utility CalicVulnUtil.exe for Windows can also be used to check if the server is still vulnerable as documented in security_notice page on supportconnect.ca.com (http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp).

or

Go to the license directory, right click on lic98version.exe, choose Properties, and then select the Version tab. The user can also run lic98version.exe to get the version info as documented in the initial security notice which states that the license vulnerability is addressed in release v1.61.9 and higher. The default License install directories are:
C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC