Bad news for users of Computer Associates International Inc.'s eTrust intrusion detection software - there is a flaw in the software which can allow remote attackers to trigger a denial-of-service attack. Due to insufficient checking on values passed to Microsoft Corp.'s Crypto API function CPImportKey, attackers are able to manipulate CPImportKey to trigger allocation of large buffers if wrapper functions don't validate the data passed to the Crypto API before CPImportKey is called. It is possible for CPImportKey to receive a size that is too big, which causes an exception and locked memory.
The mere fact that an intrusion detection system is the target of a potential exploit from this flaw is pretty worrying, given that an intrusion detection system is, well... an intrusion detection system. It is supposed to keep crackers out, and if it can be made to crash then it leaves the door open for further attacks from someone who knows what they are doing.
"The purpose of [an IDS] being there is to detect an attack. Being able to take it out could make way for a really nasty [subsequent] attack. If you were targeting a network, yes, this would be an important first step in keeping subsequent attacks undetected. That makes it of greater importance than a typical attack. Just because it's a security product doesn't mean it's immune to security vulnerabilities." - Michael Sutton, director of iDefense.