Security

CA security system vulnerable to DoS attacks

Flaw in Computer Associates' eTrust Intrusion Detection System could make it susceptible to denial-of-service attacks.

A flaw has been discovered in Computer Associates' eTrust Intrusion Detection System that could make the system vulnerable to denial-of-service attacks, according to an advisory by security research company iDefense.

The flaw enables a writer of malicious code to disable CA's eTrust Intrusion Detection System 3.0, which in turn weakens a company's defense against a DoS attack, said Michael Sutton, director of iDefense Labs.

The vulnerability stems from CA's intrusion detection system failing to check whether data is the correct size before passing it off to Microsoft's Crypto API function CPImportKey. Microsoft's Crypto API function CPImportKey also does not check the data once it has been passed on, Sutton said. As a result, any incorrectly sized data will create a problem with the memory, creating a "buffer overflow."

Sutton warned that other application vendors who use Microsoft's Crypto API function CPImportKey and whose own products also do not check the data's size before passing it on to the Microsoft API may face the same vulnerability.

"This vulnerability is not overly difficult to exploit," Sutton said.

Computer Associates, which was initially notified of the flaw in early December, has issued an update for version 3.0 and 3.0 SP1, which includes a work-around to prevent the flaw from being exploited, said a company spokeswoman, declining further comment.

The eTrust Intrusion Detection vulnerability marks the latest security issue for Computer Associates. Last month, exploit code was discovered that could take advantage of flaws in CA's licensing software and launch a DoS attack.

In that particular case, the amount of time between the public disclosure of the vulnerability and the development of code to exploit the flaw was only a week. Security experts have become increasingly concerned over the speed in which malicious code generally appears after a vulnerability has been announced.