Computer Associates: Asleep at the Switch?
Vulnerabilities in CA's backup solutions provoke questions about quality control.
It's a rough time for a couple of Computer Associates
backup products. The first, BrightStor ARCserve Backup v11 servers, are vulnerable
to an attack via the Discovery Service. This service normally is listening on
all BrightStor servers. The service enables backup servers to discover other
backup servers within their network, by listening to the network broadcast address
via UDP 41524. A parameter in a broadcast could overflow a buffer in the service,
allowing an attacker to execute code of his choosing in the context of the backup
service (normally a highly privileged account.) Patches are available.
But that's nothing compared to CA's BrightStor ARCserver Backup r11.1 for UNIX,
in which the UniversalAgent was released with a hard-coded user ID and password.
The UniversalAgent is software for client systems backed up by the BrightStor
server. The hard-coded user ID and password are in addition to any credentials
which have been assigned the UniversalAgent through normal means, permitting
any attacker to simply gain access to the client system and provide the credentials.
The attacker would then have the same access the BrightStor server has, including
the ability to execute commands. The user ID and password have been published.
Patches are available.
Yikes Batman, what on earth were they thinking? It's bad enough that they hard-coded
these credentials during development, but to not have removed them prior to
production release is simply unbelievable. One has to wonder whether any quality
control exists in CA at all if such a horrific mistake can be made. Probing
has been occurring on the UniversalAgent port (tcp/udp 6051), but luckily environments
employing such a backup strategy are typically secured from Internet connections
over these ports.
Lots of vulnerabilities found for the log analyzer AWStats.
AWStats versions prior to 6.4 contain multiple vulnerabilities that allow a
remote attacker to cause a denial-of-service condition, gain sensitive information
and execute arbitrary commands. Patches are available.
The AWStats function model allows for function calls to be extended via parameters,
with variables being provided in the call. Those variables aren't properly validated,
resulting in the potential for an attacker to execute commands amongst other
malicious actions. In addition, AWStats' debug mode can be executed by any user.
Full details and exploit examples have been published.
Digital Rights Management (DRM) copy protection placed
on music downloads by Napster for its paying customers have been hacked by using
the freely available AOL software from Winamp. Once the copy protection is removed,
the Napster downloads can be easily burned onto any number of compact discs.
Copy protection without the use of hardware devices has never succeeded; think
back to the days when all you had to do was punch carefully placed holes in
your Lotus 1-2-3 floppy diskette. The media attention suggests it thinks DRM
is meant to prevent copying; in reality it's simply an auditing tool to prevent
honest folk from inadvertent stealing. DRM also helps a company ensure accountability
for stolen copyright material.
Cisco Systems, Symantec
and Qualys have announced plans to launch a vulnerability
rating system they say will allow corporations to assess how severe a particular
vulnerability is to their environment. The rating will be made up of three numbers:
a subjective estimate of the actual severity of the threat, a measure of how
long the vulnerability has been around, and another subjective measure of how
much threat the vulnerability poses to a corporate network.
Hmm, two parts subjective, one part knowledge—and the knowledge part
won't honestly be known. Determining how long a vulnerability has been around
requires testing for the vulnerability against old and outdated environments.
For example, in research conducted by Cybertrust (my employer), it was found
that the majority of vulnerabilities in current versions of Windows have existed
in all tested versions. This implies it also existed in prior versions. It's
unclear whether this collaborative effort is going to perform such testing to
make this knowledge component accurate, or if they will also just work with
the versions currently in use.
Full disclosure: Cybertrust performs severity analysis like this for its customers.
A Florida man is suing his bank over $90,000 in wire fraud. The Miami businessman
is suing after the money was taken from his firm's online banking account following
a computer virus attack. Joe Lopez filed suit against
the Bank of America in Miami Circuit Court last week,
alleging that the bank was negligent in failing to protect his account from
compromise through known risks.
Now here's an approach that might work to get vulnerabilities in browsers and
operating systems fixed. If the bank is going to make online banking available
to its customers, and it's aware that there are flaws in the system which could
lead to compromise of the account, are they liable? Of course, "buyer beware"
and all that, but at what point will the courts decide that consumers can't
protect themselves, and pass the responsibility on to corporations who save
money by having their customers visit them online instead of in person?
And take this a step further: If the ruling goes against the bank in this case,
expect to see the fur fly against the software vendor responsible for the victim's
operating system or browser.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.