Exploit code targets critical CA flaws

Anyone who ever evaluated CA software is potentially at risk. The good news is patches are available and a free scanner is out now to identify systems vulnerable to attack.

If you haven't applied patches Computer Associates released last week for security holes in its License Client/Server applications, here's a reason you might want to move it higher on your to-do list:

Exploit code is in the wild and attackers could use it to target those holes, according to Aliso Viejo, Calif.-based eEye Digital Security Inc. The firm has offered up a free scanner to check for systems vulnerable to this threat.

Since last week's patch release, eEye said in a statement, "verified exploit code has been discovered, providing a point of entry for any worm and/or virus designed to take advantage of CA's vulnerabilities. More importantly, it has become clear that anyone that has ever evaluated CA software could potentially be at risk. Even if the program was removed manually, the License Manager code that includes the vulnerabilities could potentially still be on the machine, thus enabling an attacker to take control of the system remotely."

Firas Raouf, eEye's chief operating officer, said in the statement that the exploit code illustrates the need to patch quickly.

"This is another example of how the window of opportunity for remediating unpatched machines continues to shrink -- often to a few hours or less," he said. "The CA flaws are particularly tricky, as even those that diligently removed any CA products they may have evaluated are still at risk."

Raouf predicted exploits targeting vulnerabilities within cross-platform enterprise software such as CA's will keep increasing as attackers root for new ways to disrupt business.

Related Information

CA patches multiple high-severity flaws

How secure are you? A bias-free security testing methodology can help your organization move beyond general best-security practices.  

The Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site Wednesday that a "significant" traffic spike on TCP ports 10202 and 10203 is probably related to the exploit code's release.

New York-based Computer Associates Inc. last week released patches for a number of serious buffer overflows discovered in its License Client/Server applications, which provide a method for CA products to register their licenses on the network and are distributed with almost all CA software distributions, according to Reston, Va.-based iDefense.

The CA License Server does not run by default, though the CA License Client does. eEye rated the flaws as severe. "The licensing protocol is text-based, and all of the vulnerabilities arise due to incorrect handling of the incoming text strings," according to the company's advisory. "Successful exploitation of these vulnerabilities will allow a remote attacker to reliably execute code within the SYSTEM context."

"Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with local SYSTEM privileges," said the Computer Associates advisory. "This affects versions of the CA License software version 1.53 through version 1.61.8 on the specified platforms. Customers with these vulnerable versions should upgrade to CA License 1.61.9 or higher. CA License patches that address these issues can be downloaded."

Read more on Hackers and cybercrime prevention