Issued: July 24, 2007
Last Updated: August 06, 2007

CA's customer support is alerting customers to multiple security risks in CA products that implement the Arclib library. Two vulnerabilities exist that can allow a remote attacker to cause a denial of service. CA has issued updates to address the vulnerabilities.

The first vulnerability, CVE-2007-3875, is due to an application hang when processing a specially malformed CHM file.

The second vulnerability, CVE-2006-5645, is due to an application hang when processing a specially malformed RAR file.

In each case, an attacker can interfere with normal program operation to cause a denial of service condition.

Risk Rating

Medium

Affected Products

CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0, 7.1, r8, r8.1
CA Anti-Virus 2007 (v8)
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3)
eTrust Internet Security Suite r1, r2
eTrust EZ Armor r1, r2, r3.x
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8, 8.1
CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1
CA Protection Suites r2, r3
CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1, 8.0
CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) r8, 8.1
CA Anti-Spyware 2007
Unicenter Network and Systems Management (NSM) r3.0
Unicenter Network and Systems Management (NSM) r3.1
Unicenter Network and Systems Management (NSM) r11
Unicenter Network and Systems Management (NSM) r11.1
BrightStor ARCserve Backup r11.5 on Windows, Linux
BrightStor ARCserve Backup r11.1 on Windows, Linux
BrightStor ARCserve Backup r11 for Windows
BrightStor Enterprise Backup r10.5 on Windows
BrightStor ARCserve Backup v9.01 on Windows, Linux
BrightStor ARCserve Client agent for Windows
eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1
CA Common Services (CCS) r11
CA Common Services (CCS) r11.1
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

How to determine if the installation is affected

For products on Windows:

1. Using Windows Explorer, locate the file "arclib.dll". By default, the file is located in the "C:Program FilesCASharedComponentsScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the table below, the installation is vulnerable.

*For eTrust Intrusion Detection 2.0 the file is located in "Program FileseTrustIntrusion DetectionCommon", and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in "Program FilesCAIntrusion DetectionCommon".

For CA Anti-Virus r8.1 on non-Windows:

Use the compver utility provided on the CD to determine the version of Arclib. If the version is less than 7.3.0.9, the installation is vulnerable. Use the following table to determine the file name:

Solution

CA has provided an update to address the vulnerabilities. The updated Arclib library is provided in automatic content updates with most products. Ensure that the latest content update is installed. In the case where automatic updates are not available, use the following product specific instructions.

CA Secure Content Manager 1.1:

Apply QO89469.

CA Secure Content Manager 8.0:

Apply QO87114.

Unicenter Network and Systems Management (NSM) r3.0:

Apply QO89141.

Unicenter Network and Systems Management (NSM) r3.1:

Apply QO89139.

Unicenter Network and Systems Management (NSM) r11:

Apply QO89140.

Unicenter Network and Systems Management (NSM) r11.1:

Apply QO89138.

CA Common Services (CCS) r11:

Apply QO89140.

CA Common Services (CCS) r11.1:

Apply QO89138.

CA Anti-Virus Gateway 7.1:

Apply QO89381.

eTrust Intrusion Detection 2.0 sp1:

Apply QO89474.

eTrust Intrusion Detection 3.0:

Apply QO86925.

eTrust Intrusion Detection 3.0 sp1:

Apply QO86923.

CA Protection Suites r2:

Apply updates for CA Anti-Virus 7.1.

BrightStor ARCserve Backup on Windows and Linux, BrightStor ARCserve Client agent for Windows:

Manually replace the Arclib library with the one provided in the CA Anti-Virus 7.1 fix set.

1. Locate and rename the existing Arclib file. On Windows, the file is called arclib.dll. On Linux, the file is called libarclib.so.
2. Download the CA Anti-Virus 7.1 patch that matches the host operating system
3. Unpack the patch and place the Arclib file in directory where the existing Arclib file was found in step 1.
4. Reboot the host

CA Anti-Virus 7.0:

Windows - QO90224
Solaris - QO90254
Linux - QO90256
Netware - QO90255

CA Anti-Virus 7.1:

T229327 - Solaris - QO86831
T229328 - Netware - QO86832
T229329 - MacPPC - QO86833
T229330 - MacIntel - QO86834
T229331 - Linux390 - QO86835
T229332 - Linux - QO86836
T229333 - HP-UX - QO86837
T229337 - NT (32 bit) - QO86843
T229338 - NT (AMD64) - QO86846

CA Anti-Virus for the Enterprise r8, 8.1, CA Threat Manager for the Enterprise r8, 8.1 Windows:

The updated Arclib library is provided through the automatic content update feature.

CA Threat Manager for the Enterprise r8.1 (non Windows):

T229334 - Linux - QO86839
T229335 - Mac - QO86828
T229336 - Solaris - QO86829

Workaround

None

References

CVE-2006-5645 Arclib RAR file processing hang

CVE-2007-3875 Arclib CHM file processing hang

Acknowledgement

CVE-2006-5645 - Titon of BastardLabs and Damian Put <[email protected]> working with the iDefense VCP.

CVE-2007-3875 - An anonymous researcher working with the iDefense VCP.

Change History

Version 1.0: Initial Release

Version 1.1: Added CA Threat Manager for the Enterprise 8.1, updated ARCserve Backup patch instructions

Version 1.2: Added solution information for CA Anti-Virus 7.0, CA Anti-Virus for the Enterprise r8, and CA Threat Manager for the Enterprise r8

If additional information is required, please contact CA Technical Support at https://support.ca.com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at https://www.ca.com/us/securityadvisor/vulninfo/submit.aspx.