[Full-disclosure] [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2007-07-25T00:00:00



Title: [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability

CA Vuln ID (CAID): 35527

CA Advisory Date: 2007-07-24

Reported By: Paul Mehta of ISS X-Force

Impact: A remote attacker can execute arbitrary code.

Summary: Multiple CA products that utilize CA Message Queuing (CAM / CAFT) software contain a buffer overflow vulnerability. The vulnerability, CVE-2007-0060, is a buffer overflow that can allow a remote attacker to execute arbitrary code by sending a specially crafted message to TCP port 3104.

Mitigating Factors: None

Severity: CA has given this vulnerability a High risk rating.

Affected Versions of CA Message Queuing (CAM / CAFT): This vulnerability affects all versions of the CA Message Queuing software prior to v1.11 Build 54_4 on the specified platforms.
i.e. CAM versions 1.04, 1.05, 1.06, 1.07, 1.10 (prior to Build 54_4) and 1.11 (prior to Build 54_4).

Affected Products: Advantage Data Transport 3.0 BrightStor SAN Manager 11.1, 11.5 BrightStor Portal 11.1 CleverPath OLAP 5.1 CleverPath ECM 3.5 CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1 Unicenter Data Transport Option 2.0 Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1 Unicenter TNG 2.1, 2.2, 2.4, 2.4.2 Unicenter TNG JPN 2.2

Affected Platforms: Windows and NetWare

Platforms NOT affected: AIX, AS/400, DG Intel, DG Motorola, DYNIX, HP-UX, IRIX, Linux Intel, Linux s/390, MVS, Open VMS, OS/2, OSF1, Solaris Intel, Solaris Sparc and UnixWare.

Status and Recommendation: CA has made patches available for all affected products. These patches are independent of the CA Software that installed CAM.
Simply select the patch appropriate to the platform, and the installed version of CAM, and follow the patch application instructions. You should also review the product home pages on SupportConnect for any additional product specific instructions.

Solutions for CAM: Platform Solution Windows QO89945 NetWare QO89943

How to determine if you are affected:

Determining CAM versions: Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory.

The example below indicates that CAM version 1.11 build 27 increment 2 is running.

E:\>camstat CAM – machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16

Determining the CAM install directory:

Windows: The install location is specified by the %CAI_MSQ% environment variable. Unix/Linux/Mac: The /etc/catngcampath text file holds the CAM install location.

Workaround: The affected listening port can be disabled by creating or updating CAM's configuration file, CAM.CFG, with the following entry under the "*CONFIG" section:

*CONFIG cas_port=0

The CA Messaging Server must be recycled in order for this to take effect. We advise that products dependent upon CAM should be shutdown prior to recycling CAM. Once dependent products have been shutdown, CAM can be recycled with the following commands:

On Windows: camclose cam start

On NetWare: load camclose load cam start

Once CAM has been restarted, any CAM dependent products that were shutdown can be restarted.

References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Security Notice for CA Message Queuing (CAM / CAFT) vulnerability http://supportconnectw.ca.com/public/dto_transportit/infodocs/camsgquevul-s ecnot.asp Solution Document Reference APARs: QO89945, QO89943 CA Security Advisor posting: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149809 CA Vuln ID (CAID): 35527 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35527 Reported By: Paul Mehta of ISS X-Force ISS X-Force advisory: Computer Associates (CA) Message Queuing buffer overflow http://iss.net/threats/272.html http://xforce.iss.net/xforce/xfdb/32234 CVE References: CVE-2007-0060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0060 OSVDB References: Pending http://osvdb.org/

Changelog for this advisory: v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFGpqDgeSWR3+KUGYURAqdJAJ4pFoSk4uID50pe596jrSXA360EFwCgnKwR e0SCE2LiNYK4inEXfyLjI4M= =9QLH -----END PGP SIGNATURE----- ___________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/