Patch/Configuration Management, Vulnerability Management

Vulnerabilities hit products relying on CA anti-virus engine

CA has said that products relying on its anti-virus engine contain two vulnerabilities that could be exploited to cause a crash or execute arbitrary code. The company has issued updates to address the vulnerabilities, which are rated "high."

CA enterprise customers should deploy the "patch sooner than later," said Adam O'Donnell, director of emerging technologies for Cloudmark, a messaging security company. The flaws were reported by an anonymous researcher working with TippingPoint and the Zero Day Initiative.

One of the flaws, a boundary error in vete.dll when processing CAB archives, can be exploited to cause a stack-based buffer overflow via a specially crafted CAB archive containing excessively long filenames in the CAB file.

The second vulnerability, an input-validation error, is due to a stack-based buffer overflow occurring when the "coffFiles" field is processed in a CAB file.

O'Donnell said the vulnerabilities "are the kind of thing that can happen to any vendor — file parses and file system parses are notoriously difficult to write." He suspected that "something was overlooked" during development of the CA AV engine, and "those overlooked issues could manifest as an exploitable hole in the software.

"Software developers make assumptions regarding how data will come into the system," he added. "Sometimes, these assumptions do not hold up to all real-world situations. Data could enter the system in different size or from a different source [than expected]. When that happens, a clever individual can take advantage of the programming mistakes to gain control of the software.

"Safe programming techniques would prevent these kinds of issues," O'Donnell said. "But as we all know, it's sometimes difficult to get things right the first time around."

As a result, he urged enterprise IT professionals to "keep an eye on manufacturers' websites for any security patches and apply patches as soon as feasible."

CA said customers can determine if their installation is affected by finding the signature version from the affected product's GUI; products with versions less than 30.6 are affected. The flaws impact the following CA products:

  • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8, r8.1
  • CA Anti-Virus 2007 (v8)
  • eTrust EZ Antivirus r7, r6.1
  • CA Internet Security Suite 2007 (v3)
  • eTrust Internet Security Suite r1, r2
  • eTrust EZ Armor r1, r2, r3.x
  • CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
  • CA Protection Suites r2, r3
  • CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0
  • CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1
  • Unicenter Network and Systems Management (NSM) r3.0
  • Unicenter Network and Systems Management (NSM) r3.1
  • Unicenter Network and Systems Management (NSM) r11
  • Unicenter Network and Systems Management (NSM) r11.1
  • BrightStor ARCserve Backup r11.5
  • BrightStor ARCserve Backup r11.1
  • BrightStor ARCserve Backup r11 for Windows
  • BrightStor Enterprise Backup r10.5
  • BrightStor ARCserve Backup v9.01
  • CA Common Services
  • CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.