COMMAND

    ControlIT(tm) (formerly Remotely Possible/32)

SYSTEMS AFFECTED

    CA's ControlIT(tm) (formerly Remotely Possible/32) 4.5 and earlier

PROBLEM

    Following  is  based  on  ISS  Security Advisory.  They discovered
    three  vulnerabilities  in   the  Computer  Associates   ControlIT
    enterprise  management  software   package.   ControlIT   contains
    vulnerabilities  that  allow  an  attacker  with local access to a
    network or machine on which ControlIT operates to obtain  username
    and password information or reboot machines without authorization.
    ControlIT is a remote management application that allows users  to
    have full remote control over machines running Microsoft  Windows.
    ControlIT is often used in educational laboratory environments and
    large corporate production environments.

    Password encryption vulnerability:
    ==================================
    ControlIT does  not effectively  encrypt the  username or password
    transmission between a client and a server on a network.  Analysis
    of an encrypted password captured from a local network shows  that
    ControlIT  uses  a  weak  cryptographic  process  to  obscure  the
    password  transmitted  over   the  network.    Though  the   exact
    mathematical transform is not known, a substitution table suffices
    to  decrypt  any  ControlIT  password.  Since  ControlIT  supports
    Windows  NT  native  security,  an  attacker  could obtain user or
    administrator  passwords   to  Windows   NT  machines   via   this
    vulnerability.

    Reboot vulnerability:
    =====================
    ControlIT allows remote users to either reboot the remote  machine
    or force the current user of the remote machine to logout.  A user
    must be authenticated to operate this mechanism.  Another  option,
    configurable by the local user, allows the remote user to initiate
    a  reboot  or  logout  of  current  user  once  the  remote   user
    disconnects  the  session.   This  option  triggers  regardless of
    authentication;  anybody  can   connect  and  disconnect   without
    authenticating  to  trigger  the  timer  of  this  option if it is
    enabled by the local user.

    Access to the address book file:
    ================================
    The  ControlIT  address  book  function  allows ControlIT users to
    store frequently  used usernames  and passwords  in a  file.   The
    passwords in this file are encrypted using the same weak mechanism
    employed during remote connections.   Under Windows NT, this  file
    has permissions of Everyone:Read, meaning any local user can  read
    the file and decrypt passwords.

SOLUTION

    CA suggests that customers address the weak encryption problem  by
    adding CryptIT(tm)  software to  ControlIT installations  since no
    patch  to  ControlIT  exists  that  repairs  the  weak  encryption
    problem.  A patch exists for the Reboot Vulnerability, although  a
    specific URL to the patch is not available. This patch,  #TF73073,
    can be obtained through Computer Associates support at:

        http://www.cai.com

    A patch exists for the address book vulnerability, which  disables
    password storage in the  ControlIT address book. Contact  Computer
    Associates support  at the  above URL  or phone  number to  obtain
    this patch.   Localize ControlIT access  by blocking TCP  port 799
    at the network perimeter with packet filters or firewalls.

    The 'Data Encryption' option offered by ControlIT does not encrypt
    the  login/password  packets  in  any  way.  This  measure  is not
    effective to avoid these vulnerabilities.