Title: CAID 34013 - CA Common Services CAIRIM on z/OS LMP SVC vulnerability CA Vulnerability ID: 34013 CA Advisory Date: 2006-05-02 Discovered By: IBM Global Services Impact: Local attacker can gain escalated privileges. Summary: A potential vulnerability issue exists in our CAIRIM LMP solution for z/OS. CAIRIM is delivered as part of CA's z/OS Common Services, and the LMP component provides licensing services to many of CA's z/OS solutions. IBM Global Services discovered an integrity problem, which could be exploited by an expert user of a z/OS system that utilizes CA's CAIRIM LMP component. We worked with IBM Global Services to understand the nature of the problem and to make certain that the remedy we have now provided addresses the problem completely. CA has confirmed the presence of this vulnerability and has developed a corrective update that provides comprehensive protection for our customers. Additional Quality Assurance testing has been completed and an official published solution has been made available as of 2006-05-02. The vulnerability is an integrity exposure associated with the way the CAIRIM LMP SVC operates in conjunction with the legitimate SVC invoking code. An attacker can potentially utilize a problem state program to take advantage of this integrity exposure and obtain supervisor state, key 0. Once the attacker achieves supervisor state, key 0, he could possibly then update any system memory areas he chooses. An attacker can use a carefully crafted program in supervisor state to potentially compromise system security settings and gain unauthorized access to other system related resources. Although recently discovered, this exposure has been present in the CAIRIM LMP code since its inception. Mitigating Factors: Attacker must have (access to) an account on the system. Also, target system must be running CAIRIM LMP on a z/OS platform. Severity: CA has given this vulnerability a Medium risk rating. Affected Technologies: The LMP subcomponent of the CAIRIM v1.0 component in CA Common Services. Affected Products (CA z/OS Solutions that use CAIRIM LMP): CA-11-MVS CA-1-MVS CA-24 X 7 FOR DB2 FOR MVS CA-7/REPORT BALANCING-MVS CA-7/SMART CONSOLE-MVS CA-7-MVS CA-ACF2-MVS CA-ADS/ONLINE-MVS CA-ADVANCED DATA COMPRESSION CA-ADVANTAGE EDBC CLIENT CA-ALLOCATE CA-APAS/INSIGHT FOR MVS CA-APCDDS-MVS CA-ASM2-MVS CA-ASTEX CA-AUTOMATED CONVERSATION LANG CA-BATCH PROCESSOR CA-BIND ANALYZER CA-BUNDL CA-CA-NETMASTER CA-CICSORT-MVS CA-COBOLVISION/ANALYZER-MVS CA-COMPILE CA-COOL:GEN CA-CORP TIE UNATTENDED MODE CA-CORPORATE TIE CA-CREWS FOR MVS CA-CULPRIT CA-DADS/PLUS-MVS CA-DATA BASE CA-DATA COMPRESSOR CA-DATA NAVIGATOR CA-DATA REFLECTOR FOR DB2 CA-DATACOM CA-DATAMACS-MVS CA-DATAQUERY-MVS CA-DB ANALYZER FOR IMS CA-DB COMPRESS FOR IMS CA-DC MONITOR EXTENSIONS CA-DELIVER CA-DETECTOR CA-DISK FOR OS/390 CA-DISPATCH-MVS CA-DL1 ONLINE FOR IMS CA-DUO-MVS CA-DYNAM/TLMS-MVS CA-EARL CA-EASYTRIEVE PLUS CA-EDBC CA-EDP/AUDITOR-MVS CA-ENDEVOR/MVS CA-EXAMINE-MVS CA-EXECUTION FACILITY CA-EXTEND/DASD MVS CA-EZTEST/CICS-MVS CA-FAST CA-FASTDASD CA-FAVER FOR MVS CA-FILE MASTER CA-FILESAVE-MVS CA-FIX/2000 FOR COBOL MVS CA-GOVERNOR FACILITY CA-HIGH PERFORMANCE CA-HYPER-BUF FOR MVS CA-ICMS-MVS CA-IDEAL CA-IDMS-MVS CA-IMPACT/2000 CA-INDEX EXPERT CA-INFO/MASTER CA-INFOREFINER CA-INFOTRANSPORT CA-INSIGHT FOR DB2 CA-INTERTEST-MVS CA-INVENTORY/2000 MVS CA-JARS-MVS CA-JCLCHECK-MVS CA-JOBLOG MANAGEMENT & RETRIEV CA-JOBTRAC CA-LIBRARIAN CA-LIBRARY OF ROUTINES CA-LOG ANALYZER CA-LOG COMPRESS CA-LOOK CA-LPD INTERFACE CA-MAILBOX OPTION CA-MASTERCAT MVS CA-MAZDAMON-MVS CA-MERGE/MODIFY CA-MICS CA-MINDOVER-MVS CA-MULTI-IMAGE MANAGE MVS CA-NETMAN-MVS CA-NETMASTER CA-NETSPY NETWORK PERFORMANCE CA-NETWORKIT SOCKETVIEW CA-NEUPERFORMANCE ADVISOR CA-N-VISION VIEW OPTION CA-OBJECT CA-ONLINE QUERY-MVS CA-ONLINEREORG CA-OPERA-MVS CA-OPS\MVS CA-OPTIMIZER CA-PACKAGE/IT CA-PAN/APT CA-PAN/LCM-CONFIG-MGR-MVS CA-PAN/MERGE CA-PAN/SQL (RDBII) FOR MVS CA-PANAUDIT PLUS CA-PANEXEC CA-PANVALET CA-PARTITION EXPERT CA-PASS-THRU PRINTER SUPPORT CA-PDSMAN CA-PLAN ANALYZER CA-PLATINUM REPOSITORY CA-PLEU FOR MVS CA-PMA/CHARGEBACK-MVS CA-POINTER EDITOR FOR IMS CA-PPS FOR XEROX CA-PREVAIL/XP CA-PROAUDIT-MVS CA-PROBUILD-MVS CA-PROEDIT/DB2-MVS CA-PROGRAM MANAGEMENT OPTIMIZE CA-PROOPTIMIZE CA-PROSECURE-MVS CA-QUERY ANALYZER CA-QUICK COPY CA-QUICK-FETCH MVS CA-QUIKSERV FOR VSAM CA-RAMIS MVS CA-RANDOMIZER ANALYSIS PROGRAM CA-RAPID REORG CA-RAPS-MVS CA-RC CA-REALIA II CA-RECOVERY ANALYZER CA-REMOTE CONSOLE CA-REPORT FACILITY CA-REPOSITORY CA-RI CA-ROSCOE-MVS CA-RSVP CA-SCHEDULER-MVS CA-SECONDARY INDEX CA-SHAREOPTION/5-MVS CA-SOLVE EPS-SPOOL CONVER CODE CA-SOLVE:ACCESS CA-SOLVE:CPT CA-SOLVE:FTS CA-SOLVE:LINK FOR DB2 (EDBS) CA-SOLVE:NETMAIL CA-SOLVE:OPERATIONS CA-SOLVE:X.25 CA-SORT-MVS CA-SPACEMAN FOR MVS CA-SPOOL CA-SQL EASE CA-SRAM-MVS CA-SUBSYSTEM ANALYZER CA-SYMDUMP CA-SYSLOG MANAGEMENT & RETRIEV CA-SYSVIEW/E CA-TCPACCESS CA-TELEVIEW CA-TELON CA-TESTCOVERAGE/2000 CA-THREAD TERMINATOR CA-TOP SECRET CA-TPX CA-TRANSPORT AGENT FOR MVS CA-TSO/MON W/ONLINE FACILITY CA-UNICENTER MANAGEMENT for WEBSPHERE MQ for z/OS CA-UNICENTER TNG AGENT FOR DB2 CA-UNICENTER TNG AGENT-OS/390 CA-UNICENTER TNG CA-IDMS AGENT CA-UNICENTER TNG CICS AGENT CA-UNICENTER TNG MQ SERIES CA-UNICN TNG OS/390 UNIX AGENT CA-UNICTR NSM SY MNTR Z/OS&OS/390 CA-UNICTR PREFX RES-IMS/ZOS/S3 CA-VANTAGE CA-VERIFY-MVS CA-VIEW CA-VISION CA-VISUAL EXPRESS CA-VMAN-MVS CA-VSAMAID FOR MVS CA-VTAPE VIRTUAL TAPE SYSTEM CA-VTX CA-XCOM FOR MVS Affected platforms: z/OS Status and Recommendation: Customers are advised to apply PTF QO78541 as soon as possible to ensure that computing environments are properly protected. (note that URLs in this advisory may wrap) PTF QO78541: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7854 1 Prerequisite Maintenance - Before applying the corrective patch for this vulnerability, the following CAIRIM PTF maintenance must already be applied: QO66290 http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6629 0 QO66300 http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6630 0 QO75220 http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7522 0 Determining if you are affected: You can verify the existence of CAIRIM LMP on your system by using the IPCS Findmod (FMOD) command to examine storage in your z/OS LPA: 1. Access IPCS from within TSO/ISPF 2. Issue the following IPCS commands: SETDEF ACTIVE FMOD CAIRIMC If a valid address for CAIRIMC is displayed, then CAIRIM LMP has been installed on the system. If CAIRIMC is present the display will be comparable to: BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F4C040 40404040 40404040 40404040 40404040 404040' is not valid - no definition stored BLS18016I AMODE(31) entry point CAIRIMC is at 0D5EB000 CAIRIMC LIST 0D5EB000. ASID(X'0001') LENGTH(X'21A0') MODULE(Cairimc) Note the 0D5EB000 address is given for CAIRIMC meaning that CAIRIM LMP is installed. If CAIRIM LMP is not installed, the FMOD CAIRIMC display will be similar to this: BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F4C040 40404040 40404040 40404040 40404040 404040' is not valid - no definition stored BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F3C040 40404040 40404040 40404040 40404040 404040' is not valid - no definition stored BLS18104I Symbol LPDECAIRIMC not found BLS18015I Entry point CAIRIMC not found In this case note the "not found" clause. References: CA SupportConnect: http://supportconnect.ca.com/ Important Security Notice for CAIRIM LMP for z/OS http://supportconnectw.ca.com/public/ca_common_docs/cairimsecurity-notic e.asp Important Security Notice for CAIRIM LMP for z/OS Affected products http://supportconnectw.ca.com/public/ca_common_docs/cairim-affprods.asp CAID: 34013 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34013 Other relevant CA links: CA Common Services for z/OS http://supportconnectw.ca.com/public/tngfwOS390/fw390ca90.asp PTF QO78541: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7854 1 QO66290: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6629 0 QO66300: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6630 0 QO75220: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO7522 0 CVE Reference: Pending http://cve.mitre.org/ OSVDB Reference: OSVDB-25234 http://osvdb.org/25234 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln@xxxxxx, or contact me directly. If you discover a vulnerability in CA products, please report your findings to vuln@xxxxxx, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Dir. of CA Vulnerability Research Team CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://ca.com/calegal.htm Privacy Policy http://www.ca.com/caprivacy.htm Copyright 2006 CA. All rights reserved.
