Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2009-3588 to a friend New vulnerability? New tool? Tell us	CVE-2009-3588 CA Anti-Virus Engine Heap Corruption and Malformed RAR File Vulnerabilities     Credit: The information has been provided by Thierry Zoller and James K Williams. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2009-3588 Details Check for CVE-2009-3588 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  *CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1  * CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8  * CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1  * CA Anti-Virus 2007 (v8)  * CA Anti-Virus 2008 CA Anti-Virus 2009  * CA Anti-Virus Plus 2009 eTrust EZ Antivirus r7.1  * CA Internet Security Suite 2007 (v3)  * CA Internet Security Suite 2008  * CA Internet Security Suite Plus 2008  * CA Internet Security Suite Plus 2009  * CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8  * CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) 8.1  * CA Threat Manager Total Defense  * CA Gateway Security r8.1  * CA Protection Suites r2  * CA Protection Suites r3  * CA Protection Suites r3.1  * CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1  * CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0  * CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0  * CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.1  * CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11  * CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11.1  * CA ARCserve Backup r11.5 on Windows  * CA ARCserve Backup r12 on Windows  * CA ARCserve Backup r12.0 SP1 on Windows  * CA ARCserve Backup r12.0 SP 2 on Windows  * CA ARCserve Backup r12.5 on Windows  * CA ARCserve Backup r11.1 Linux  * CA ARCserve Backup r11.5 Linux  * CA ARCserve for Windows Client Agent  * CA ARCserve for Windows Server component  * CA eTrust Intrusion Detection 2.0 SP1  * CA eTrust Intrusion Detection 3.0  * CA eTrust Intrusion Detection 3.0 SP1  * CA Common Services (CCS) r3.1  * CA Common Services (CCS) r11  * CA Common Services (CCS) r11.1  * CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)  * CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1 Immune Systems:  * CA Anti-Virus engine with arclib version 8.1.4.0 The first vulnerability, CVE-2009-3587, is due to improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component. An attacker can create a malformed RAR archive file that results in heap corruption and allows the attacker to cause a denial of service or possibly further compromise the system. The second vulnerability, CVE-2009-3588, is due to improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component. An attacker can create a malformed RAR archive file that results in stack corruption and allows the attacker to cause a denial of service. How to determine if the installation is affected For products on Windows: 1. Using Windows Explorer, locate the file "arclib.dll". By default, the file is located in the "C:\Program Files\CA\SharedComponents\ScanEngine" directory (*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated below, the installation is vulnerable. File Name File Version arclib.dll 8.1.4.0 *For eTrust Intrusion Detection 2.0, the file is located in "Program Files\eTrust\Intrusion Detection\Common", and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in "Program Files\CA\Intrusion Detection\Common". For CA Anti-Virus r8.1 on non-Windows platforms: Use the compver utility provided on the CD to determine the version of Arclib. If the version is less than 8.1.4.0, the installation is vulnerable. Patch Availability: CA released arclib 8.1.4.0 on August 12 2009. If your product is configured for automatic updates, you should already be protected, and you need to take no action. If your product is not configured for automatic updates, then you simply need to run the update utility included with your product. CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0: apply fix # RO11964. CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.1: apply fix # RO11964. CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11: apply fix # RO11964. CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11.1: apply fix # RO11964. CA Common Services (CCS) r3.1: apply fix # RO11954. CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 32bit: apply fix # RO10663. CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 IA64: apply fix # RO10664. CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 AMD64: apply fix # RO10665. CA Secure Content Manager (formerly eTrust Secure Content Manager) r1.1: apply fix # RO10999. CA Secure Content Manager (formerly eTrust Secure Content Manager) r8.0: apply fix # RO10999. CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1: apply fix # RO11000. CA Gateway Security r8.1: RO10999. CA ARCserve for Windows Server component installed on a 64 bit machine: apply fixes # RO10663 and RO10664 (IA64) or RO10665 (AMD64). CA ARCserve for Windows Server component installed on a 32 bit machine: apply fix # RO10663. CA ARCserve for Windows Client Agent installed on a 64 bit machine: apply fix # RO10664 (IA64) or RO10665 (AMD64). CA ARCserve for Windows Client Agent installed on a 32 bit machine: apply fix # RO10663. CA ARCserve for Linux Server r11.5: apply fix # RO10729. CA ARCserve for Linux: 1. Download RO10729.tar.Z from RO10729 into a temporary location /tmp/RO10729 2. Uncompress and untar RO10729.tar.Z as follows: uncompress RO10729.tar.Ztar -xvf RO10729.tar The new "libarclib.so" will be extracted to /tmp/RO10729 3. Change the directory to $CAIGLBL0000/ino/config as follows: cd $CAIGLBL0000/ino/config 4. Rename "libarclib.so" to "libarclib.so.RO10729" as follows: mv libarclib.so libarclib.so.RO10729 5. Copy the new libarclib.so as follows: cp /tmp/RO10729/libarclib.so $CAIGLBL0000/ino/config/ 6. chmod +x $CAIGLBL0000/ino/config/libarclib.so 7. Stop the common agent (caagent stop) 8. Change the directory to ARCserve common agent directory (typically /opt/CA/BABcmagt) cd /opt/CA/BABcmagt Note: To find out the agent home directory run the following command: dirname 'ls -l /usr/bin/caagent |cut -f2 -d">"' 9. Save a copy of libarclib.so cp -p libarclib.so libarclib.so.RO10729 10. Copy over the new libarclib.so as follows: cp $/tmp/RO10729/libarclib.so. 11. Start the common agent (caagent start) 12. Repeat steps (7-11) on all remote Linux client agents' installations. 13. rm -rf /tmp/RO10729 CVE Information: CVE-2009-3587 CVE-2009-3588  Comments on CVE-2009-3588:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®