[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention System
From:       "Williams, James K" <James.Williams () ca ! com>
Date:       2011-02-25 4:20:07
Message-ID: 649CDCB56C88AA458EFF2CBF494B62040B3682C7 () USILMS12 ! ca ! com
[Download RAW message or body]

CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention 
System

Issued: February 23, 2011
Updated: February 24, 2011


CA Technologies support is alerting customers to a security risk 
associated with CA Host-Based Intrusion Prevention System (HIPS). A 
vulnerability exists that can allow a remote attacker to execute 
arbitrary code.  CA Technologies has issued patches to address the 
vulnerability.

The vulnerability, CVE-2011-1036, is due to insecure method 
implementation in the XMLSecDB ActiveX control that is utilized in CA 
HIPS components and products. A remote attacker can potentially execute 
arbitrary code if he can trick a user into visiting a malicious web 
page or opening a malicious file.


Risk Rating 
Medium


Platform 
Windows


Affected Products 
CA Host-Based Intrusion Prevention System (HIPS) r8.1
CA Internet Security Suite (ISS) 2010
CA Internet Security Suite (ISS) 2011


How to determine if the installation is affected 
HIPS Management Server is vulnerable if the version number is less than 
8.1.0.88.

HIPS client sources are vulnerable if the build number is less than 
1.6.450.

CA Internet Security Suite (ISS) 2010 is vulnerable if the ISS product 
version is equal to or less than 6.0.0.285 and the HIPS version is 
equal to or less than 1.6.384.

CA Internet Security Suite (ISS) 2011 is vulnerable if the ISS product 
version is equal to or less than 7.0.0.115 and the HIPS version is 
equal to or less than 1.6.418.

Older versions of HIPS and ISS, that are no longer supported, may also 
be vulnerable.


Solution

CA has issued the following patches to address the vulnerability.

CA Host-Based Intrusion Prevention System (HIPS) r8.1:
RO26950
Apply RO26950 and set the DWORD "ProtectParser" under 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmxCfg to "1". You 
do not need to restart the client.

CA Internet Security Suite (ISS) 2010:
Fix information will be published soon.

CA Internet Security Suite (ISS) 2011:
Fix information will be published soon.


References

CVE-2011-1036 - CA HIPS XMLSecDB ActiveX control insecure methods


Acknowledgement

Andrea Micalizzi aka rgod, via TippingPoint ZDI


Change History

Version 1.0: Initial Release
Version 1.5: Added ISS 2011 to list of affected products. Added 
instructions for determining if ISS is affected.


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilja22@ca.com

[prev in list] [next in list] [prev in thread] [next in thread]