[原文]Computer Associates (CA) eTrust Intrusion Detection 3.0 allows remote attackers to cause a denial of service via large size values that are not properly validated before calling the CPImportKey function in the Crypto API.
eTrust Intrusion Detection System is reported prone to a remote denial of service vulnerability.
This vulnerability specifically arises due to the improper use of the Microsoft Crypto API function called 'CPImportKey'. eTrust Intrusion Detection System employs the Microsoft Crypto API functionality without wrapper functions to validate user-supplied input and is susceptible to denial of service attacks.
A successful attack can crash the application by exhausting memory resources. This can facilitate further attacks against the network and the possibility of attacks not being detected.
eTrust Intrusion Detection System 3.0 and 3.0 SP1 are reported vulnerable.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.
The vendor has released patches to address this issue.