9.3 - VU#105105

Executive Summary

Summary
Title	Computer Associates Anti-Virus engine fails to properly handle malformed CAB archives

Informations
Name	VU#105105	First vendor Publication	2007-06-06
Vendor	VU-CERT	Last vendor Modification	2007-06-06
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#105105

Computer Associates Anti-Virus engine fails to properly handle malformed CAB archives

Overview

The Computer Associates Anti-Virus engine contains a stack-based buffer overflow that may allow a remote, unauthenticated attacker to execute arbitrary code.

I. Description

The Computer Associates Anti-Virus engine contains a stack-based buffer overflow in the code responsible for processing CAB archives. Specifically, the Computer Associates Anti-Virus engine fails to properly validate the size of the coffFiles field in CAB archives before it is copied to a stack buffer. This may allow a stack-based buffer overflow to occur.

This vulnerability affects numerous Computer Associates products, including:

CA Anti-Virus
eTrust EZ Antivirus
CA Internet Security Suite 2007
eTrust Internet Security Suite
eTrust EZ Armor
CA Threat Manager
CA Protection Suites
CA Secure Content Manager
CA Anti-Virus Gateway
Unicenter Network and Systems Management
BrightStor ARCserve Backup
CA Common Services
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

More information is available in the Computer Associates Security Notice issued June 5th, 2007.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition..

III. Solution

Apply an Update

According to the Computer Associates Security Notice issued June 5th, 2007:

CA has issued content update 30.6 to address the vulnerabilities. The updated engine is provided with content updates. Ensure the latest content update is installed if the signature version is less than version 30.6.

Systems Affected

Vendor	Status	Date Updated
Computer Associates	Vulnerable	6-Jun-2007

References

http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp
http://www.zerodayinitiative.com/advisories/ZDI-07-035.html
http://secunia.com/advisories/25570/

Credit

This vulnerability was reported by in Tipping Point advisory ZDI-07-035.

This document was written by Jeff Gennari.

Other Information

Date Public	06/05/2007
Date First Published	06/06/2007 01:45:26 PM
Date Last Updated	06/06/2007
CERT Advisory
CVE Name	CVE-2007-2864
Metric	15.19
Document Revision	12

Original Source

Url : http://www.kb.cert.org/vuls/id/105105

CPE : Common Platform Enumeration

Type	Description	Count
Application	Broadcom Anti-Virus For The Enterprise cpe:2.3:a:broadcom:anti-virus_for_the_enterprise:8:::::::*	1
Application	Broadcom Brightstor Arcserve Backup cpe:2.3:a:broadcom:brightstor_arcserve_backup:11.5:::::::* cpe:2.3:a:broadcom:brightstor_arcserve_backup:11.1:::::::* cpe:2.3:a:broadcom:brightstor_arcserve_backup:11:::::::* cpe:2.3:a:broadcom:brightstor_arcserve_backup:10.5:::::::* cpe:2.3:a:broadcom:brightstor_arcserve_backup:9.01:::::::*	5
Application	Broadcom Common Services cpe:2.3:a:broadcom:common_services:3.0:::::::* cpe:2.3:a:broadcom:common_services:2.2:::::::* cpe:2.3:a:broadcom:common_services:2.1:::::::* cpe:2.3:a:broadcom:common_services:2.0:::::::* cpe:2.3:a:broadcom:common_services:1.1:::::::* cpe:2.3:a:broadcom:common_services:1.0:::::::*	6
Application	Broadcom Etrust Antivirus cpe:2.3:a:broadcom:etrust_antivirus:8.1:::::::* cpe:2.3:a:broadcom:etrust_antivirus:8.0:::::::*	2
Application	Broadcom Etrust Antivirus Gateway cpe:2.3:a:broadcom:etrust_antivirus_gateway:7.1:::::::*	1
Application	Broadcom Etrust Antivirus Sdk cpe:2.3:a:broadcom:etrust_antivirus_sdk::::::::	1
Application	Broadcom Etrust Ez Antivirus cpe:2.3:a:broadcom:etrust_ez_antivirus:7.0:::::::* cpe:2.3:a:broadcom:etrust_ez_antivirus:6.1:::::::*	2
Application	Broadcom Etrust Ez Armor cpe:2.3:a:broadcom:etrust_ez_armor:3.1:::::::* cpe:2.3:a:broadcom:etrust_ez_armor:3.0:::::::* cpe:2.3:a:broadcom:etrust_ez_armor:2.0:::::::* cpe:2.3:a:broadcom:etrust_ez_armor:1.0:::::::*	4
Application	Broadcom Integrated Threat Management cpe:2.3:a:broadcom:integrated_threat_management:8.0:::::::*	1
Application	Broadcom Internet Security Suite cpe:2.3:a:broadcom:internet_security_suite:3.0:::::::* cpe:2.3:a:broadcom:internet_security_suite:2.0:::::::* cpe:2.3:a:broadcom:internet_security_suite:1.0:::::::*	3
Application	Broadcom Unicenter Network And Systems Management cpe:2.3:a:broadcom:unicenter_network_and_systems_management:11.1:::::::* cpe:2.3:a:broadcom:unicenter_network_and_systems_management:11:::::::* cpe:2.3:a:broadcom:unicenter_network_and_systems_management:3.1:::::::* cpe:2.3:a:broadcom:unicenter_network_and_systems_management:3.0:::::::*	4
Application	Ca Etrust Secure Content Manager cpe:2.3:a:ca:etrust_secure_content_manager:8.0:::::::*	1
Application	Ca Protection Suites cpe:2.3:a:ca:protection_suites:r3:::::::* cpe:2.3:a:ca:protection_suites:r2:::::::*	2

SAINT Exploits

Description	Link
CA Antivirus engine CAB handling buffer overflow	More info here

Open Source Vulnerability Database (OSVDB)

Id	Description
35245	CA Anti-Virus Engine CAB Header Parsing Overflow A buffer overflow exists in multiple CA products. The Anti-Virus engine fails to validate CAB files resulting in a stack overflow. With a specially crafted CAB file containing a malformed "coffFiles" field, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
35244	CA Anti-Virus Engine CAB Archive Filename Parsing Overflow A buffer overflow exists in multiple CA products. The Anti-Virus engine fails to validate CAB archive files resulting in a stack overflow. With a specially crafted CAB containing a file with a long filename, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

Snort® IPS/IDS

Date	Description
2014-01-10	CA multiple product AV engine CAB header parsing stack overflow attempt RuleID : 16719 - Revision : 8 - Type : FILE-OTHER

Global Informations

Type	Count
CPE ID(s)	33
Saint Exploit(s)	1
osvdb(s)	2
Snort® Rule(s)	1

	Related
9.3	CVE-2007-2864
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)