The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CA Antivirus

vulnerability bulletin CVE-2010-5151 CVE-2010-5152 CVE-2010-5154

Antivirus: bypassing SSDT Hooking

Synthesis of the vulnerability

When an antivirus redirects the SSDT to detect viruses, a local attacker can use an atomicity error, in order to bypass this protection.
Impacted products: Avast AV, CA Antivirus, F-Secure AV, AVG AntiVirus, Kaspersky AV, VirusScan, Norton Antivirus, Norton Internet Security, Panda AV, Panda Internet Security, Symantec AV.
Severity: 2/4.
Consequences: administrator access/rights, data flow.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 13.
Creation date: 10/05/2010.
Revision date: 11/05/2010.
Identifiers: CVE-2010-5151, CVE-2010-5152, CVE-2010-5154, CVE-2010-5156, CVE-2010-5161, CVE-2010-5163, CVE-2010-5166, CVE-2010-5167, CVE-2010-5168, CVE-2010-5171, CVE-2010-5172, CVE-2010-5177, CVE-2010-5179, VIGILANCE-VUL-9633.

Description of the vulnerability

The SSDT table (System Service Descriptor Table) contains references of system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

Antiviruses redirect entries of this table to verification functions. Several implementations check parameters, and then call the origin system call. However, between these two operations, a local attacker can change parameters of the system call. A attacker can therefore create a program using legitimate parameters, and then change them just before the system call.

When an antivirus redirects the SSDT to detect viruses, a local attacker can therefore use an atomicity error, in order to bypass this protection.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-3587 CVE-2009-3588

CA Anti-Virus: code execution via arclib

Synthesis of the vulnerability

An attacker can create a malformed RAR archive, which corrupts the memory, in order to stop the Anti-Virus, or to execute code.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/10/2009.
Identifiers: BID-36653, CA20091008-01, CERTA-2009-AVI-431, CVE-2009-3587, CVE-2009-3588, G-SEC 46-2009, VIGILANCE-VUL-9080.

Description of the vulnerability

The arclib.dll/arclib.so library extracts files contained in an archive. It is impacted by two vulnerabilities.

A malformed RAR archive generates a heap corruption in arclib. [severity:3/4; CERTA-2009-AVI-431, CVE-2009-3587]

A malformed RAR archive generates a stack corruption in arclib. [severity:3/4; CVE-2009-3588]

An attacker can therefore create a malformed RAR archive, which corrupts the memory, in order to stop the Anti-Virus, or to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-0042

CA Anti-Virus: bypassing arclib

Synthesis of the vulnerability

An attacker can create a malformed archive containing a virus which is not detected by the antivirus.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 27/01/2009.
Identifiers: BID-33464, CA20090126-01, CERTA-2009-AVI-033, CVE-2009-0042, VIGILANCE-VUL-8426.

Description of the vulnerability

The arclib.dll/arclib.so library extracts files contained in an archive.

When the archive is malformed, arclib fails to extract files, and the antivirus concludes that this archive does not contain a virus.

An attacker can therefore create a malformed archive containing a virus which is not detected by the antivirus.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-4620

CA Alert Notification Server: code execution

Synthesis of the vulnerability

An authenticated attacker can use overflows of the CA Alert Notification Server service in order to elevate his privileges.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user account.
Creation date: 04/04/2008.
Identifiers: BID-28605, CERTA-2008-AVI-184, CVE-2007-4620, VIGILANCE-VUL-7734.

Description of the vulnerability

The CA Alert Notification Server service is installed by several Computer Associates (CA) products.

This service does not check parameters provided by clients, which lead to buffer overflows.

An authenticated attacker can use these overflows in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-3875

Computer Associates AV: denial of service via CHM

Synthesis of the vulnerability

An attacker can create a malicious CHM file generating an infinite loop in the antivirus.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 25/07/2007.
Identifiers: BID-25049, CAID 35525, CAID 35526, CVE-2007-3875, n.runs-SA-2007.024, VIGILANCE-VUL-7036.

Description of the vulnerability

Files with CHM extension are compiled help files for Windows.

When Computer Associates antivirus analyzes a CHM file containing a reference pointing back to a previous data chunk, an infinite loop occurs.

An attacker can therefore create a malicious CHM file in order to generate a denial of service in the antivirus.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-3825

CA AV eTrust: buffer overflows of Alert service

Synthesis of the vulnerability

Several buffer overflows affect Computer Associates products using the Alert service.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 3/4.
Consequences: administrator access/rights.
Provenance: intranet client.
Creation date: 20/07/2007.
Identifiers: CAID 35515, CERTA-2007-AVI-315, CVE-2007-3825, VIGILANCE-VUL-7024.

Description of the vulnerability

The Alert service is used by several Computer Associates products:
 - CA Threat Manager for the Enterprise
 - CA Anti-Virus for the Enterprise
 - CA Protection Suites
 - BrightStor ARCserve

This service installs the 3d742890-397c-11cf-9bf1-00805f88cb72 RPC interface. It can be reached via SMB/CIFS and contains several buffer overflows.

A network attacker can therefore connect to this computer and use these vulnerabilities in order to obtain system privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-2863 CVE-2007-2864

CA Anti-Virus, eTrust: buffer overflows of CAB

Synthesis of the vulnerability

An attacker can create a malicious CAB archive in order to generate two overflows in Computer Associates antiviruses.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 06/06/2007.
Identifiers: BID-24330, BID-24331, CERTA-2007-AVI-252, CVE-2007-2863, CVE-2007-2864, VIGILANCE-VUL-6885, VU#105105, VU#739409, ZDI-07-034, ZDI-07-035.

Description of the vulnerability

An attacker can create a malicious CAB archive in order to generate two overflows in Computer Associates antiviruses.

When a CAB archive contains a file with a long name, an overflow occurs in vete.dll. [severity:3/4; BID-24331, CERTA-2007-AVI-252, CVE-2007-2863, VU#739409, ZDI-07-034]

When the "coffFiles" field of a CAB archive contains a file with a long name, an overflow occurs. [severity:3/4; BID-24330, CVE-2007-2864, VU#105105, ZDI-07-035]

Both overflows can lead to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-2522 CVE-2007-2523

CA Anti-Virus: several buffer overflows

Synthesis of the vulnerability

A local or remote attacker can exploit several buffer overflows in antiviruses products of Computer Associates.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 3/4.
Consequences: administrator access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/05/2007.
Identifiers: BID-23906, CAID 35330, CAID 35331, CERTA-2007-AVI-217, CVE-2007-2522, CVE-2007-2523, VIGILANCE-VUL-6812, VU#680616, VU#788416, ZDI-07-028.

Description of the vulnerability

An attacker can exploit two buffer overflows in antiviruses products of Computer Associates.

The InoWeb.exe web server listens on port 12168/tcp. User has to authenticate before accessing to service. However, login and password are stored in a fixed size array without check, which leads to an overflow. A remote attacker can therefore execute code. [severity:3/4; CERTA-2007-AVI-217, CVE-2007-2522, VU#680616, ZDI-07-028]

The task service InoTask.exe, linked to InoCore.dll, uses a shared file which can be edited by every local user. A local attacker can therefore write a long value in order to generate an overflow, then code execution with SYSTEM privileges. [severity:3/4; CVE-2007-2523, VU#788416]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2006-6496

CA Anti-Virus: denial of service of vetfddnt.sys and vetmonnt.sys

Synthesis of the vulnerability

A local attacker can send malicious data to vetfddnt.sys and vetmonnt.sys drivers in order to stop the antivirus.
Impacted products: CA Antivirus, e-Trust Antivirus.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 14/12/2006.
Identifiers: BID-21593, CAID 34870, CVE-2006-6496, VIGILANCE-VUL-6402.

Description of the vulnerability

The vetfddnt.sys and vetmonnt.sys drivers are used by CA Anti-Virus.

Some of their functions, available via ioctl, do not check if parameters are NULL before dereferencing them.

A local attacker can thus use a NULL parameter in order to stop system.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2006-5645 CVE-2006-6458

Antivirus: infinite loop via a RAR archive

Synthesis of the vulnerability

An attacker can create a malicious RAR archive in order to generate an infinite loop in some antivirus.
Impacted products: CA Antivirus, e-Trust Antivirus, Sophos AV, TrendMicro Internet Security.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/12/2006.
Identifiers: 7609, BID-21509, CAID 35525, CAID 35526, CVE-2006-5645, CVE-2006-6458, CVE-2007-5645-ERROR, iDefense Security Advisory 12.08.06, VIGILANCE-VUL-6384.

Description of the vulnerability

The RAR format is composed of successive headers and data sections.

The "Archive Header" section is the main header of the file. The "head_size" field indicates size of this header and the "pack_size" header indicates the compressed size.

When "head_size" and "pack_size" fields are set to zero, archive is invalid. However, some antivirus enter an infinite loop trying to read data.

Antivirus identified as vulnerable are:
 - CA Anti-Virus
 - Sophos Small business edition (Windows/Linux) 4.06.1 (engine version 2.34.3)
 - Trend Micro Office Scan 7.3
 - Trend Micro PC Cillin - Internet Security 2006
 - Trend Micro Server Protect 5.58
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.