Security Watch

Computer Associates: Asleep at the Switch?

Vulnerabilities in CA's backup solutions provoke questions about quality control.

• By Russ Cooper
• 03/07/2005

Hacking
It's a rough time for a couple of Computer Associates' backup products. The first, BrightStor ARCserve Backup v11 servers, are vulnerable to an attack via the Discovery Service. This service normally is listening on all BrightStor servers. The service enables backup servers to discover other backup servers within their network, by listening to the network broadcast address via UDP 41524. A parameter in a broadcast could overflow a buffer in the service, allowing an attacker to execute code of his choosing in the context of the backup service (normally a highly privileged account.) Patches are available.

But that's nothing compared to CA's BrightStor ARCserver Backup r11.1 for UNIX, in which the UniversalAgent was released with a hard-coded user ID and password. The UniversalAgent is software for client systems backed up by the BrightStor server. The hard-coded user ID and password are in addition to any credentials which have been assigned the UniversalAgent through normal means, permitting any attacker to simply gain access to the client system and provide the credentials. The attacker would then have the same access the BrightStor server has, including the ability to execute commands. The user ID and password have been published. Patches are available.

Yikes Batman, what on earth were they thinking? It's bad enough that they hard-coded these credentials during development, but to not have removed them prior to production release is simply unbelievable. One has to wonder whether any quality control exists in CA at all if such a horrific mistake can be made. Probing has been occurring on the UniversalAgent port (tcp/udp 6051), but luckily environments employing such a backup strategy are typically secured from Internet connections over these ports.

Lots of vulnerabilities found for the log analyzer AWStats. AWStats versions prior to 6.4 contain multiple vulnerabilities that allow a remote attacker to cause a denial-of-service condition, gain sensitive information and execute arbitrary commands. Patches are available.

The AWStats function model allows for function calls to be extended via parameters, with variables being provided in the call. Those variables aren't properly validated, resulting in the potential for an attacker to execute commands amongst other malicious actions. In addition, AWStats' debug mode can be executed by any user. Full details and exploit examples have been published.

Digital Rights Management (DRM) copy protection placed on music downloads by Napster for its paying customers have been hacked by using the freely available AOL software from Winamp. Once the copy protection is removed, the Napster downloads can be easily burned onto any number of compact discs.

Copy protection without the use of hardware devices has never succeeded; think back to the days when all you had to do was punch carefully placed holes in your Lotus 1-2-3 floppy diskette. The media attention suggests it thinks DRM is meant to prevent copying; in reality it's simply an auditing tool to prevent honest folk from inadvertent stealing. DRM also helps a company ensure accountability for stolen copyright material.

Human Factors
Cisco Systems, Symantec and Qualys have announced plans to launch a vulnerability rating system they say will allow corporations to assess how severe a particular vulnerability is to their environment. The rating will be made up of three numbers: a subjective estimate of the actual severity of the threat, a measure of how long the vulnerability has been around, and another subjective measure of how much threat the vulnerability poses to a corporate network.

Hmm, two parts subjective, one part knowledge—and the knowledge part won't honestly be known. Determining how long a vulnerability has been around requires testing for the vulnerability against old and outdated environments. For example, in research conducted by Cybertrust (my employer), it was found that the majority of vulnerabilities in current versions of Windows have existed in all tested versions. This implies it also existed in prior versions. It's unclear whether this collaborative effort is going to perform such testing to make this knowledge component accurate, or if they will also just work with the versions currently in use.

Full disclosure: Cybertrust performs severity analysis like this for its customers.

Governance
A Florida man is suing his bank over $90,000 in wire fraud. The Miami businessman is suing after the money was taken from his firm's online banking account following a computer virus attack. Joe Lopez filed suit against the Bank of America in Miami Circuit Court last week, alleging that the bank was negligent in failing to protect his account from compromise through known risks.

Now here's an approach that might work to get vulnerabilities in browsers and operating systems fixed. If the bank is going to make online banking available to its customers, and it's aware that there are flaws in the system which could lead to compromise of the account, are they liable? Of course, "buyer beware" and all that, but at what point will the courts decide that consumers can't protect themselves, and pass the responsibility on to corporations who save money by having their customers visit them online instead of in person?

And take this a step further: If the ruling goes against the bank in this case, expect to see the fur fly against the software vendor responsible for the victim's operating system or browser.