controlIT.txt

`ISS Security Advisory  
January 25, 1999  
  
Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32)  
enterprise management software  
  
  
Synopsis:  
  
Internet Security Systems (ISS) X-Force discovered three vulnerabilities  
in the Computer Associates ControlIT enterprise management software  
package. ControlIT contains vulnerabilities that allow an attacker with  
local access to a network or machine on which ControlIT operates to  
obtain username and password information or reboot machines without  
authorization.  
  
ControlIT is a remote management application that allows users to have  
full remote control over machines running Microsoft Windows. ControlIT is  
often used in educational laboratory environments and large corporate  
production environments.  
  
Affected versions:  
  
ISS X-Force has confirmed that this vulnerability exists in ControlIT  
version 4.5. Earlier versions of ControlIT (under the name of Remotely  
Possible/32) are also vulnerable.  
  
The 'About ControlIT' item under the Window menu of ControlIT displays  
version information.  
  
  
Description:  
  
Password encryption vulnerability: ControlIT does not effectively encrypt  
the username or password transmission between a client and a server on a  
network. Analysis of an encrypted password captured from a local network  
shows that ControlIT uses a weak cryptographic process to obscure the  
password transmitted over the network. Though the exact mathematical  
transform is not known, a substitution table suffices to decrypt any  
ControlIT password. Since ControlIT supports Windows NT native security,  
an attacker could obtain user or administrator passwords to Windows NT  
machines via this vulnerability.  
  
Reboot vulnerability: ControlIT allows remote users to either reboot the  
remote machine or force the current user of the remote machine to logout.  
A user must be authenticated to operate this mechanism. Another option,  
configurable by the local user, allows the remote user to initiate a  
reboot or logout of current user once the remote user disconnects the  
session. This option triggers regardless of authentication; anybody can  
connect and disconnect without authenticating to trigger the timer of  
this option if it is enabled by the local user.  
  
Access to the address book file: The ControlIT address book function  
allows ControlIT users to store frequently used usernames and passwords  
in a file. The passwords in this file are encrypted using the same weak  
mechanism employed during remote connections. Under Windows NT, this file  
has permissions of Everyone:Read, meaning any local user can read the file  
and decrypt passwords.  
  
Recommendations:  
  
CA suggests that customers address the weak encryption problem by adding  
CryptIT(tm) software to ControlIT installations since no patch to  
ControlIT exists that repairs the weak encryption problem. See Computer  
Associates' reply to ISS below for more information.  
  
A patch exists for the Reboot Vulnerability, although a specific URL to  
the patch is not available. This patch, #TF73073, can be obtained through  
Computer Associates support at http://www.cai.com or 1-800-DIALCAI.  
  
A patch exists for the address book vulnerability, which disables  
password storage in the ControlIT address book. Contact Computer  
Associates support at the above URL or phone number to obtain this patch.  
  
Localize ControlIT access by blocking TCP port 799 at the network  
perimeter with packet filters or firewalls.  
  
  
Vendor Response:  
  
Computer Associates responded to ISS with the following reply:  
  
Synopsis.  
Computer Associates is dedicated to ensuring its products address its  
customers needs, including the delivery of robust and secure remote  
control solutions. The following information is provided to ISS in  
response to its advisory entitled "Multiple vulnerabilities in ControlIT  
(formerly Remotely Possible/32) enterprise management software" and dated  
December 2, 1998. As explained below, Computer Associates, remote control  
solutions address all three points raised in the subject ISS advisory.  
  
Password Encryption.  
For Remotely Possible and ControlIT users requiring enhanced encryption,  
Computer Associates provides an end-to-end encryption product called  
CryptIT. CryptIT is an advanced encryption solution that does not involve  
key management and is easy to deploy. CryptIT is transparent and  
automatically discovers CryptIT at the other end and provides strong  
encryption with DES3 and DES encryption. CryptIT with Remotely Possible or  
ControlIT ensures that all network session data is completely private and  
secure.  
  
Remotely Possible and ControlIT offer "built-in" security in addition to  
NT local and Domain security. For customers concerned that the NT  
administrator passwords can be sniffed, the "built-in" security model  
should be used as the NT usernames/passwords are not required.  
  
Reboot Vulnerability.  
Remotely Possible 4.0 and ControlIT 4.5 allow the user to enable or  
disable the "reboot on disconnect" option. By default, the product does  
not reboot on disconnect.  
  
If the 'reboot on disconnect' is enabled, the machine will reboot if an  
invalid username or password is provided. This feature was requested by  
Computer Associates' customers who wanted to ensure that intruders could  
not easily access a machine.  
  
A patch, which can be optionally installed, will be available for those  
customers who prefer to disable the machine reboot option in cases of an  
invalid username or password.  
  
Address Book Passwords.  
Computer Associates offers a patch for Remotely Possible 4.0 that removes  
password storage in the address book. The user must type in the password.  
  
ControlIT users are not required to enter the password in the address  
books. If they choose to, ControlIT stores the passwords in encrypted  
form. Computer Associates also offers a patch for ControlIT 4.5 that  
removes password storage in the address book and requires the user to  
type in the password. As usernames are typically a common ASCII string, it  
would be easier for an attacker to determine the encryption algorithm and  
hence determine the password if the usernames were encrypted. Therefore,  
the username is not encrypted.  
  
  
Patch information:  
  
Contact Computer Associates support at http://www.cai.com or  
1-800-DIALCAI to obtain patches.  
  
  
Additional Information:  
  
ISS Internet Scanner risk assessment software and ISS RealSecure  
real-time intrusion detection software have the capability to detect  
these vulnerabilities.  
  
The 'Data Encryption' option offered by ControlIT does not encrypt the  
login/password packets in any way. This measure is not effective to avoid  
these vulnerabilities.  
  
__________  
  
Copyright (c) 1999 by Internet Security Systems, Inc.  
  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without express  
consent of X-Force. If you wish to reprint the whole or any part of this  
alert in any other medium excluding electronic medium, please e-mail  
[email protected] for permission.  
  
Disclaimer:  
  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,  
as well as on MIT's PGP key server and PGP.com's key server.  
  
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce  
  
Please send suggestions, updates, and comments to:  
X-Force <[email protected]> of Internet Security Systems, Inc.  
  
`