Computer Associates International (CA) and security firms are warning about a number of serious security holes in software that manages CA product licenses and is distributed with almost every piece of software the company sells.
The security holes could allow remote attackers to run malicious code on systems that use the Computer Associates License Client and Server software. Security firms, eEye Digital Security and iDefense, discovered a number of serious security flaws, including buffer overflow vulnerabilities, that could allow remote attackers to run malicious code on servers or clients that run the license software.
The Computer Associates License Client and Server software is a license management tool that allows CA customers to register and manage their product licenses on a computer network.
The software is shipped with almost all CA software. The server component is disabled by default when it is shipped. However, the License Client is enabled by default on most CA software, increasing the chances for successful attacks.
The holes are in CA License software versions 1.53 through 1.61.8 for a number of platforms, including Microsoft Corp.'s Windows, Sun Microsystems Inc.'s Solaris, Apple Computer Inc.'s OS X, Unix and Linux, according to a CA advisory. (See: http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp.)
The company issued a patch that fixes the problems and encourages customers to apply them.
The most serious vulnerabilities discovered by eEye and iDefense allow malicious hackers to send specially formatted commands to systems running the License software that overflow buffers, or areas of the machine's memory that are allocated to store data.
For example, a flaw in a software routine that records status and error messages to a License log file can be exploited by sending an invalid request that causes a buffer overflow, according to an eEye advisory.
Another hole in a License Server and Client software component called GETCONFIG could allow a remote attacker to send an attack to a system running the software in a specially configured data packet. When triggered, the vulnerability causes an overflow that gives the attacker elevated, or "Local System" permission on the system and leaks information on the remote operating system, according to an iDefense advisory.
In some cases, firewall software can be used to block attacks targeting the vulnerabilities. However, customers need to apply License software patches from the company for affected versions of the License Server or License Client to fix the holes. Alternatively, customers can upgrade from affected software versions to CA License version 1.61.9, which does not contain the holes, according to a CA advisory.