Malicious hackers have released code that exploits a widespread vulnerability in software from Computer Associates International (CA), setting off a round of Internet scanning for vulnerable CA systems.
The exploit code was created Friday, just two days after CA warned customers and issued a patch for security holes in the Computer Associates License Client and Server software. The product is a management tool that allows CA customers to register and manage their product licenses on a computer network. It is shipped with almost all CA software with the server component disabled, but the License Client is enabled by default on most CA software. The exploit could allow a remote attacker to take control of systems using the CA License software, according to security experts.
CA is working closely with customers to make sure they are aware of the vulnerabilities and take steps to patch them, and noted that there are no known attacks using code that exploits the vulnerabilities. The company strongly recommends that customers apply the patches immediately, according to Bob Gordon, a company spokesman.
The holes in the License Client and server were discovered by security companies eEye Digital Security and iDefense in CA License software versions 1.53 through 1.61.8 for a number of platforms, including Microsoft's Windows, Sun Microsystems' Solaris, Apple Computer's OS X, Unix and Linux, according to a CA advisory. (See: http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp.)
The exploit code, which is credited to an exploit writing group called the Hat-Squad, targets the CA License Client on Windows systems and allows a remote attacker to cause a stack overflow on vulnerable systems, then run code that gives the attacker control of the system. On Sunday, a copy of the exploit was posted on the Web site class101.org, which publishes software exploits and other hacking tools.
By Tuesday, The SANS Institute's Internet Storm Center noted increased scans on TCP (Transmission Control Protocol) ports 10202 and 10203, which are used by the License Client, according to information posted on the Internet Storm Center Web site. The scanning is probably related to the release of the exploit code, as malicious hackers search for vulnerable systems that are accessible from the Internet and running the License Client.
"This should raise alarm bells," said Firas Raouf, the chief operating officer of eEye, about the release of exploit code.
The License Client poses a serious risk to corporate security, because it is widely distributed with CA's software, and because the security hole in the Client is so easy to exploit, Raouf said.
Raouf was critical of CA, saying that the company did not adequately audit the License Client and server software.
"Clearly ...CA has not done due diligence, from a vulnerability scanning standpoint, on their License Client. This vulnerability was really easy to find and to exploit," he said.