Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12551
HistoryMay 05, 2006 - 12:00 a.m.

[Full-disclosure] CAID 34013 - CA Common Services CAIRIM on z/OS LMP SVC vulnerability

2006-05-0500:00:00
vulners.com
60

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: CAID 34013 - CA Common Services CAIRIM on z/OS LMP SVC
vulnerability

CA Vulnerability ID: 34013

CA Advisory Date: 2006-05-02

Discovered By: IBM Global Services

Impact: Local attacker can gain escalated privileges.

Summary:
A potential vulnerability issue exists in our CAIRIM LMP
solution for z/OS. CAIRIM is delivered as part of CA's z/OS Common
Services, and the LMP component provides licensing services to
many of CA's z/OS solutions. IBM Global Services discovered an
integrity problem, which could be exploited by an expert user of a
z/OS system that utilizes CA's CAIRIM LMP component. We worked
with IBM Global Services to understand the nature of the problem
and to make certain that the remedy we have now provided addresses
the problem completely.

CA has confirmed the presence of this vulnerability and has
developed a corrective update that provides comprehensive
protection for our customers. Additional Quality Assurance testing
has been completed and an official published solution has been
made available as of 2006-05-02.

The vulnerability is an integrity exposure associated with the way
the CAIRIM LMP SVC operates in conjunction with the legitimate SVC
invoking code. An attacker can potentially utilize a problem state
program to take advantage of this integrity exposure and obtain
supervisor state, key 0. Once the attacker achieves supervisor
state, key 0, he could possibly then update any system memory
areas he chooses. An attacker can use a carefully crafted program
in supervisor state to potentially compromise system security
settings and gain unauthorized access to other system related
resources. Although recently discovered, this exposure has been
present in the CAIRIM LMP code since its inception.

Mitigating Factors: Attacker must have (access to) an account on
the system. Also, target system must be running CAIRIM LMP on a
z/OS platform.

Severity: CA has given this vulnerability a Medium risk rating.

Affected Technologies: The LMP subcomponent of the CAIRIM v1.0
component in CA Common Services.

Affected Products (CA z/OS Solutions that use CAIRIM LMP):

CA-11-MVS
CA-1-MVS
CA-24 X 7 FOR DB2 FOR MVS
CA-7/REPORT BALANCING-MVS
CA-7/SMART CONSOLE-MVS
CA-7-MVS
CA-ACF2-MVS
CA-ADS/ONLINE-MVS
CA-ADVANCED DATA COMPRESSION
CA-ADVANTAGE EDBC CLIENT
CA-ALLOCATE
CA-APAS/INSIGHT FOR MVS
CA-APCDDS-MVS
CA-ASM2-MVS
CA-ASTEX
CA-AUTOMATED CONVERSATION LANG
CA-BATCH PROCESSOR
CA-BIND ANALYZER
CA-BUNDL
CA-CA-NETMASTER
CA-CICSORT-MVS
CA-COBOLVISION/ANALYZER-MVS
CA-COMPILE
CA-COOL:GEN
CA-CORP TIE UNATTENDED MODE
CA-CORPORATE TIE
CA-CREWS FOR MVS
CA-CULPRIT
CA-DADS/PLUS-MVS
CA-DATA BASE
CA-DATA COMPRESSOR
CA-DATA NAVIGATOR
CA-DATA REFLECTOR FOR DB2
CA-DATACOM
CA-DATAMACS-MVS
CA-DATAQUERY-MVS
CA-DB ANALYZER FOR IMS
CA-DB COMPRESS FOR IMS
CA-DC MONITOR EXTENSIONS
CA-DELIVER
CA-DETECTOR
CA-DISK FOR OS/390
CA-DISPATCH-MVS
CA-DL1 ONLINE FOR IMS
CA-DUO-MVS
CA-DYNAM/TLMS-MVS
CA-EARL
CA-EASYTRIEVE PLUS
CA-EDBC
CA-EDP/AUDITOR-MVS
CA-ENDEVOR/MVS
CA-EXAMINE-MVS
CA-EXECUTION FACILITY
CA-EXTEND/DASD MVS
CA-EZTEST/CICS-MVS
CA-FAST
CA-FASTDASD
CA-FAVER FOR MVS
CA-FILE MASTER
CA-FILESAVE-MVS
CA-FIX/2000 FOR COBOL MVS
CA-GOVERNOR FACILITY
CA-HIGH PERFORMANCE
CA-HYPER-BUF FOR MVS
CA-ICMS-MVS
CA-IDEAL
CA-IDMS-MVS
CA-IMPACT/2000
CA-INDEX EXPERT
CA-INFO/MASTER
CA-INFOREFINER
CA-INFOTRANSPORT
CA-INSIGHT FOR DB2
CA-INTERTEST-MVS
CA-INVENTORY/2000 MVS
CA-JARS-MVS
CA-JCLCHECK-MVS
CA-JOBLOG MANAGEMENT & RETRIEV
CA-JOBTRAC
CA-LIBRARIAN
CA-LIBRARY OF ROUTINES
CA-LOG ANALYZER
CA-LOG COMPRESS
CA-LOOK
CA-LPD INTERFACE
CA-MAILBOX OPTION
CA-MASTERCAT MVS
CA-MAZDAMON-MVS
CA-MERGE/MODIFY
CA-MICS
CA-MINDOVER-MVS
CA-MULTI-IMAGE MANAGE MVS
CA-NETMAN-MVS
CA-NETMASTER
CA-NETSPY NETWORK PERFORMANCE
CA-NETWORKIT SOCKETVIEW
CA-NEUPERFORMANCE ADVISOR
CA-N-VISION VIEW OPTION
CA-OBJECT
CA-ONLINE QUERY-MVS
CA-ONLINEREORG
CA-OPERA-MVS
CA-OPS\MVS
CA-OPTIMIZER
CA-PACKAGE/IT
CA-PAN/APT
CA-PAN/LCM-CONFIG-MGR-MVS
CA-PAN/MERGE
CA-PAN/SQL (RDBII) FOR MVS
CA-PANAUDIT PLUS
CA-PANEXEC
CA-PANVALET
CA-PARTITION EXPERT
CA-PASS-THRU PRINTER SUPPORT
CA-PDSMAN
CA-PLAN ANALYZER
CA-PLATINUM REPOSITORY
CA-PLEU FOR MVS
CA-PMA/CHARGEBACK-MVS
CA-POINTER EDITOR FOR IMS
CA-PPS FOR XEROX
CA-PREVAIL/XP
CA-PROAUDIT-MVS
CA-PROBUILD-MVS
CA-PROEDIT/DB2-MVS
CA-PROGRAM MANAGEMENT OPTIMIZE
CA-PROOPTIMIZE
CA-PROSECURE-MVS
CA-QUERY ANALYZER
CA-QUICK COPY
CA-QUICK-FETCH MVS
CA-QUIKSERV FOR VSAM
CA-RAMIS MVS
CA-RANDOMIZER ANALYSIS PROGRAM
CA-RAPID REORG
CA-RAPS-MVS
CA-RC
CA-REALIA II
CA-RECOVERY ANALYZER
CA-REMOTE CONSOLE
CA-REPORT FACILITY
CA-REPOSITORY
CA-RI
CA-ROSCOE-MVS
CA-RSVP
CA-SCHEDULER-MVS
CA-SECONDARY INDEX
CA-SHAREOPTION/5-MVS
CA-SOLVE EPS-SPOOL CONVER CODE
CA-SOLVE:ACCESS
CA-SOLVE:CPT
CA-SOLVE:FTS
CA-SOLVE:LINK FOR DB2 (EDBS)
CA-SOLVE:NETMAIL
CA-SOLVE:OPERATIONS
CA-SOLVE:X.25
CA-SORT-MVS
CA-SPACEMAN FOR MVS
CA-SPOOL
CA-SQL EASE
CA-SRAM-MVS
CA-SUBSYSTEM ANALYZER
CA-SYMDUMP
CA-SYSLOG MANAGEMENT & RETRIEV
CA-SYSVIEW/E
CA-TCPACCESS
CA-TELEVIEW
CA-TELON
CA-TESTCOVERAGE/2000
CA-THREAD TERMINATOR
CA-TOP SECRET
CA-TPX
CA-TRANSPORT AGENT FOR MVS
CA-TSO/MON W/ONLINE FACILITY
CA-UNICENTER MANAGEMENT for WEBSPHERE MQ for z/OS
CA-UNICENTER TNG AGENT FOR DB2
CA-UNICENTER TNG AGENT-OS/390
CA-UNICENTER TNG CA-IDMS AGENT
CA-UNICENTER TNG CICS AGENT
CA-UNICENTER TNG MQ SERIES
CA-UNICN TNG OS/390 UNIX AGENT
CA-UNICTR NSM SY MNTR Z/OS&OS/390
CA-UNICTR PREFX RES-IMS/ZOS/S3
CA-VANTAGE
CA-VERIFY-MVS
CA-VIEW
CA-VISION
CA-VISUAL EXPRESS
CA-VMAN-MVS
CA-VSAMAID FOR MVS
CA-VTAPE VIRTUAL TAPE SYSTEM
CA-VTX
CA-XCOM FOR MVS

Affected platforms:
z/OS

Status and Recommendation:
Customers are advised to apply PTF QO78541 as soon as possible to
ensure that computing environments are properly protected.
(note that URLs in this advisory may wrap)
PTF QO78541:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7854
1

Prerequisite Maintenance - Before applying the corrective patch
for this vulnerability, the following CAIRIM PTF maintenance must
already be applied:
QO66290
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6629
0
QO66300
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6630
0
QO75220
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7522
0

Determining if you are affected:

You can verify the existence of CAIRIM LMP on your system by using
the IPCS Findmod (FMOD) command to examine storage in your z/OS
LPA:

  1. Access IPCS from within TSO/ISPF
  2. Issue the following IPCS commands:
    SETDEF ACTIVE
    FMOD CAIRIMC

If a valid address for CAIRIMC is displayed, then CAIRIM LMP has
been installed on the system. If CAIRIMC is present the display
will be comparable to:

BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F4C040 40404040

40404040 40404040 40404040 404040' is not valid - no

definition stored

BLS18016I AMODE(31) entry point CAIRIMC is at 0D5EB000

CAIRIMC

LIST 0D5EB000. ASID(X'0001') LENGTH(X'21A0') MODULE(Cairimc)

Note the 0D5EB000 address is given for CAIRIMC meaning that
CAIRIM LMP is installed.

If CAIRIM LMP is not installed, the FMOD CAIRIMC display will be
similar to this:

BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F4C040 40404040

40404040 40404040 40404040 404040' is not valid - no

definition stored

BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F3C040 40404040

40404040 40404040

        40404040 404040' is not valid - no definition stored

BLS18104I Symbol LPDECAIRIMC not found

BLS18015I Entry point CAIRIMC not found

In this case note the "not found" clause.

References:
CA SupportConnect:
http://supportconnect.ca.com/
Important Security Notice for CAIRIM LMP for z/OS
http://supportconnectw.ca.com/public/ca_common_docs/cairimsecurity-notic
e.asp
Important Security Notice for CAIRIM LMP for z/OS Affected products
http://supportconnectw.ca.com/public/ca_common_docs/cairim-affprods.asp

CAID: 34013
CAID Advisory link:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34013

Other relevant CA links:
CA Common Services for z/OS
http://supportconnectw.ca.com/public/tngfwOS390/fw390ca90.asp
PTF QO78541:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7854
1
QO66290:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6629
0
QO66300:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6630
0
QO75220:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7522
0

CVE Reference: Pending
http://cve.mitre.org/

OSVDB Reference:
OSVDB-25234 http://osvdb.org/25234

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,
please send email to [email protected], or contact me directly.

If you discover a vulnerability in CA products, please report
your findings to [email protected], or utilize our "Submit a
Vulnerability" form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx

Regards,
Ken Williams ; 0xE2941985
Dir. of CA Vulnerability Research Team

CA, One Computer Associates Plaza. Islandia, NY 11749

Contact http://www3.ca.com/contact/
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://www.ca.com/caprivacy.htm
Copyright 2006 CA. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRFsr3nklkd/ilBmFEQIWpwCeN/7KOtordffvGhqxiLuKlYvimlkAn0K2
VHoDTzCMwjGZSWuSJUAjV1is
=+lgH
-----END PGP SIGNATURE-----


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/