-----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory January 25, 1999 Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Synopsis: Internet Security Systems (ISS) X-Force discovered three vulnerabilities in the Computer Associates ControlIT enterprise management software package. ControlIT contains vulnerabilities that allow an attacker with local access to a network or machine on which ControlIT operates to obtain username and password information or reboot machines without authorization. ControlIT is a remote management application that allows users to have full remote control over machines running Microsoft Windows. ControlIT is often used in educational laboratory environments and large corporate production environments. Affected versions: ISS X-Force has confirmed that this vulnerability exists in ControlIT version 4.5. Earlier versions of ControlIT (under the name of Remotely Possible/32) are also vulnerable. The 'About ControlIT' item under the Window menu of ControlIT displays version information. Description: Password encryption vulnerability: ControlIT does not effectively encrypt the username or password transmission between a client and a server on a network. Analysis of an encrypted password captured from a local network shows that ControlIT uses a weak cryptographic process to obscure the password transmitted over the network. Though the exact mathematical transform is not known, a substitution table suffices to decrypt any ControlIT password. Since ControlIT supports Windows NT native security, an attacker could obtain user or administrator passwords to Windows NT machines via this vulnerability. Reboot vulnerability: ControlIT allows remote users to either reboot the remote machine or force the current user of the remote machine to logout. A user must be authenticated to operate this mechanism. Another option, configurable by the local user, allows the remote user to initiate a reboot or logout of current user once the remote user disconnects the session. This option triggers regardless of authentication; anybody can connect and disconnect without authenticating to trigger the timer of this option if it is enabled by the local user. Access to the address book file: The ControlIT address book function allows ControlIT users to store frequently used usernames and passwords in a file. The passwords in this file are encrypted using the same weak mechanism employed during remote connections. Under Windows NT, this file has permissions of Everyone:Read, meaning any local user can read the file and decrypt passwords. Recommendations: CA suggests that customers address the weak encryption problem by adding CryptIT(tm) software to ControlIT installations since no patch to ControlIT exists that repairs the weak encryption problem. See Computer Associates' reply to ISS below for more information. A patch exists for the Reboot Vulnerability, although a specific URL to the patch is not available. This patch, #TF73073, can be obtained through Computer Associates support at http://www.cai.com or 1-800-DIALCAI. A patch exists for the address book vulnerability, which disables password storage in the ControlIT address book. Contact Computer Associates support at the above URL or phone number to obtain this patch. Localize ControlIT access by blocking TCP port 799 at the network perimeter with packet filters or firewalls. Vendor Response: Computer Associates responded to ISS with the following reply: Synopsis. Computer Associates is dedicated to ensuring its products address its customers needs, including the delivery of robust and secure remote control solutions. The following information is provided to ISS in response to its advisory entitled "Multiple vulnerabilities in ControlIT (formerly Remotely Possible/32) enterprise management software" and dated December 2, 1998. As explained below, Computer Associates, remote control solutions address all three points raised in the subject ISS advisory. Password Encryption. For Remotely Possible and ControlIT users requiring enhanced encryption, Computer Associates provides an end-to-end encryption product called CryptIT. CryptIT is an advanced encryption solution that does not involve key management and is easy to deploy. CryptIT is transparent and automatically discovers CryptIT at the other end and provides strong encryption with DES3 and DES encryption. CryptIT with Remotely Possible or ControlIT ensures that all network session data is completely private and secure. Remotely Possible and ControlIT offer "built-in" security in addition to NT local and Domain security. For customers concerned that the NT administrator passwords can be sniffed, the "built-in" security model should be used as the NT usernames/passwords are not required. Reboot Vulnerability. Remotely Possible 4.0 and ControlIT 4.5 allow the user to enable or disable the "reboot on disconnect" option. By default, the product does not reboot on disconnect. If the 'reboot on disconnect' is enabled, the machine will reboot if an invalid username or password is provided. This feature was requested by Computer Associates' customers who wanted to ensure that intruders could not easily access a machine. A patch, which can be optionally installed, will be available for those customers who prefer to disable the machine reboot option in cases of an invalid username or password. Address Book Passwords. Computer Associates offers a patch for Remotely Possible 4.0 that removes password storage in the address book. The user must type in the password. ControlIT users are not required to enter the password in the address books. If they choose to, ControlIT stores the passwords in encrypted form. Computer Associates also offers a patch for ControlIT 4.5 that removes password storage in the address book and requires the user to type in the password. As usernames are typically a common ASCII string, it would be easier for an attacker to determine the encryption algorithm and hence determine the password if the usernames were encrypted. Therefore, the username is not encrypted. Patch information: Contact Computer Associates support at http://www.cai.com or 1-800-DIALCAI to obtain patches. Additional Information: ISS Internet Scanner risk assessment software and ISS RealSecure real-time intrusion detection software have the capability to detect these vulnerabilities. The 'Data Encryption' option offered by ControlIT does not encrypt the login/password packets in any way. This measure is not effective to avoid these vulnerabilities. __________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforceat_private for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html, as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force <xforceat_private> of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNqy38jRfJiV99eG9AQF61wP6Akf0l/7dWJDnRqaZ3L+9Jyfo3CR5Ozwy tmD9XXC+86bq9+8BeoWGUWS3sV8yxWfIcZ3IfypY4GKlwIF0lOnUqbkqCSyT5d0I Xa3sSi8OZUaavvkFKwbM8K8RRE7dewCh2DmUl34bOHylMfBL5jEj5DTklqmQEhXA UsOiEUbBrDg= =S1PK -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:51 PDT