Intrusion Prevention

CA.AV.Engine.CAB.File.Header.Parsing.Buffer.Overflow

Description

This indicates an attempt to exploit a stack-based buffer-overflow vulnerability in the anti-virus engine used in several CA products.
The vulnerability is occurs in CA anti-virus engines before content update 30.6. It can be triggered by a large invalid value in the "coffFiles" field in a .CAB file header. A remote attacker can crash the application and may also be able to execute arbitrary code on the system with the privileges of the victim.

Affected Products

CA Anti-Virus for the Enterprise (eTrust Antivirus) r8
CA Anti-Virus for the Enterprise (eTrust Antivirus) r8.1
CA Anti-Virus 2007 (v8)
CA Anti-Virus SDK (eTrust Anti-Virus SDK)
CA Common Services
CA eTrust EZ Antivirus r7
CA eTrust EZ Antivirus r6.1
CA eTrust Internet Security Suite r1
CA eTrust Internet Security Suite r2
CA eTrust EZ Armor r1
CA eTrust EZ Armor r2
CA eTrust EZ Armor r3.x
CA Threat Manager for the Enterprise (eTrust Integrated Threat Management) r8
CA Protection Suites r2
CA Protection Suites r3
CA Internet Security Suite 2007 (v3)
CA Secure Content Manager (eTrust Secure Content Manager) 8.0
CA Anti-Virus Gateway (eTrust Antivirus eTrust Antivirus Gateway) 7.1
CA Unicenter Network and Systems Management (NSM) r3.0
CA Unicenter Network and Systems Management (NSM) r3.1
CA Unicenter Network and Systems Management (NSM) r11
CA Unicenter Network and Systems Management (NSM) r11.1
CA BrightStor ARCserve Backup r11.5
CA BrightStor ARCserve Backup r11.1
CA BrightStor ARCserve Backup r11 for Windows
CA BrightStor Enterprise Backup r10.5
CA BrightStor ARCserve Backup 9.01

Impact

System compromise: Remote code execution.
Denial of service

Recommended Actions

Apply patch version 30.6, available from the vendor's web site:
http://supportconnect.ca.com/

CVE References

CVE-2007-2864