Computer Associates (CA) customers may have to patch nearly all their CA products following the discovery of a number of security holes.
All of the six identified bugs affect the CA License Management software installed by
default with almost all of CA's products, including UniCenter, eTrust and BrightStor lines. Operating systems affected include Windows, HP-UX, AIX, Solaris, Tru64, Mac OS X and Linux, CA said.
Patches are available from the company's website. The bugs were discovered by iDefense and eEye and could be exploited to run malicious code on a user's system. However, exploits could only realistically be carried out from a company's internal network, rather than from the nternet, according to Thomas Kristensen, chief technology officer with independent security firm Secunia.
"We found that the License service is to be considered Local Network. This limits the attack vector significantly in our opinion," Kristensen said. Secunia's advisory can be found here.
CA's European VP for security, Simon Perry, said it is taking the vulnerabilities seriously, but isn't aware of any exploits being available. The vendor worked with eEye and iDefense to fix the problems and co-ordinated public disclosure with them, as well as notifying public vulnerability resources such as US-CERT and Mitre Common Vulnerability Exposures (CVE) Group. Customers and partners were notified through the CA Security Advisor website and Threat Alert Service
The vulnerabilities are unusual in that they affect a large number of different types of applications, security experts said. It isn't clear which CA products don't contain the affected package, since the vendor hasn't published a list, Secunia said.
Perry said the company is making efforts to help companies track down all their affected software. "We have provided our customers with a number of support tools to help them determine if they have CA software installed that is affected by these vulnerabilities, and also full advice and fixes to remediate any potentially vulnerable systems," Perry said.
The bugs include a boundary error in log message generation, boundary error and input validation bugs in the handling of filenames in PUTOLF requests, a boundary error in the handling of GETCONFIG requests, and two separate boundary errors in GCR requests.