–[ Synopsis:
CA HIPS is a Host Based Intrusion Prevention System in which managed
agents
are deployed on individual hosts to be protected by the HIPS and
controlled
by the centralized console.
It is possible to trigger faults in the kernel driver (kmxids.sys)
used by
the protection agent by sending certain malformed IP packets.
–[ Affected Software:
Tested on:
–[ Technical description:
When CA HIPS agent processes certain malformed IP packets, it fails
to handle
certain boundary condition during parsing and pattern matching of the
packet.
It is possible to force the kernel driver (kmxids.sys) responsible for
analyzing each in/out packet to reference invalid/unmapped memory.
The following information is obtained during crash analysis:
CURRENT_IRQL: 2
FAULTING_IP:
kmxids+a2f4
f6b8c2f4 8a26 mov ah,byte ptr [esi]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
TRAP_FRAME: f88ca4f4 – (.trap 0xfffffffff88ca4f4)
ErrCode = 00000000
eax=f88ca754 ebx=81f7415a ecx=00000003 edx=428c200c esi=6e96d603
edi=f6b83264
eip=f6b8c2f4 esp=f88ca568 ebp=f88ca574 iopl=0 nv up ei pl nz
na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
kmxids+0xa2f4:
f6b8c2f4 8a26 mov ah,byte ptr [esi]
ds:0023:6e96d603=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 804f7b9d to 80527bdc
The issue can be used to create a Denial of Service condition on each
of the
host protected by affected versions of CA HIPS agent, however due to the
nature of the vulnerability remote code execution is unlikely.
–[ Impact:
–[ Vendor response:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214665
–[ CVE ID:
CVE-2009-2740
–[ Credits:
This vulnerability was discovered by iViZ Security Research Team
http://www.ivizsecurity.com
http://www.ivizsecurity.com/security-advisory-iviz-sr-09005.html