iViZ Security

Security Advisories

CA HIPS Agent Remote Kernel Vulnerability

Introduction

CA HIPS is a Host Based Intrusion Prevention System in which managed agents are deployed on individual hosts to be protected by the HIPS and controlled by the centralized console.


It is possible to trigger faults in the kernel driver (kmxids.sys) used by the protection agent by sending certain malformed IP packets.

Technical Details

When CA HIPS agent processes certain malformed IP packet, it fails to handle certain boundary condition during parsing and pattern matching of the packet. It is possible to force the kernel driver (kmxids.sys) responsible for analyzing each in/out packet to reference invalid/unmapped memory. The following information is obtained during crash analysis: 


   CURRENT_IRQL:  2

   FAULTING_IP:
   kmxids+a2f4
   f6b8c2f4 8a26            mov     ah,byte ptr [esi]

   DEFAULT_BUCKET_ID:  DRIVER_FAULT

   BUGCHECK_STR:  0xD1

   TRAP_FRAME:  f88ca4f4 -- (.trap 0xfffffffff88ca4f4)
   ErrCode = 00000000
   eax=f88ca754 ebx=81f7415a ecx=00000003 edx=428c200c esi=6e96d603 edi=f6b83264
   eip=f6b8c2f4 esp=f88ca568 ebp=f88ca574 iopl=0         nv up ei pl nz na pe nc
   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
   kmxids+0xa2f4:
   f6b8c2f4 8a26            mov     ah,byte ptr [esi]
   ds:0023:6e96d603=??
   Resetting default scope

   LAST_CONTROL_TRANSFER:  from 804f7b9d to 80527bdc

   STACK_TEXT:
   f88ca0a8 804f7b9d 00000003 f88ca404 00000000
   nt!RtlpBreakWithStatusInstruction
   f88ca0f4 804f878a 00000003 6e96d603 f6b8c2f4 nt!KiBugCheckDebugBreak+0x19
   f88ca4d4 80540683 0000000a 6e96d603 00000002 nt!KeBugCheck2+0x574
   f88ca4d4 f6b8c2f4 0000000a 6e96d603 00000002 nt!KiTrap0E+0x233
   WARNING: Stack unwind information not available. Following frames may be
   wrong.
   f88ca574 f6b832e1 6e96d603 f6b83264 00000003 kmxids+0xa2f4
   00000000 00000000 00000000 00000000 00000000 kmxids+0x12e1

The issue can be used to create a Denial of Service condition on each of the hosts protected by affected versions of CA HIPS agent, however due to the nature of the vulnerability remote code execution is unlikely.

Affected Software

CA HIPS r8.1 (possibly older versions too)

The issue is fixed in CA HIPS 8.1 CF1
Impact

  • Denial of Service
  • Remote Code Execute is unlikely

Vendor Response

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214665

CVE

CVE-2009-2740

Credits

This vulnerability was discovered by iViZ Security Research Team.



Back to Security Advisories