Date: 07 February 2002
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.061 -- ISS Security Alert
Remote Denial of Service Vulnerability in BlackICE Products
7 February 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackICE Defender 2.9
BlackICE Defender for Server 2.9
BlackICE Agent for Workstation 3.0 and 3.1
BlackICE Agent for Server 3.0 and 3.1
RealSecure Server Sensor 6.0.1 and 6.5
Vendor: Internet Security Systems
Operating System: Windows 2000 and XP
Impact: Denial of Service
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Alert
February 4, 2002
Last Revised: February 5, 2002
Remote Denial of Service Vulnerability in BlackICE Products
Synopsis:
ISS X-Force is aware of a denial of service vulnerability that may allow
remote attackers to crash or disrupt affected versions of BlackICE
Defender and BlackICE Agent desktop firewall/intrusion protection
products, and affected versions of RealSecure Server Sensor.
Description:
All current versions of BlackICE Defender, BlackICE Agent, and
RealSecure Server Sensor running on Windows 2000 or Windows XP can be
remotely crashed using a modified ping flood attack. The vulnerability
is caused by a flaw in the routines used for capturing transmitted
packets. Memory can be overwritten in such a manner that may cause the
engine to crash or to behave in an unpredictable manner.
The risk of this vulnerability to corporate users is minimal, because
most corporate firewalls already block ICMP from external IP addresses.
Systems located behind a corporate firewall are unlikely to be affected
by ICMP-based attacks.
Affected Versions:
BlackICE Defender 2.9 on Microsoft Windows 2000 and XP
BlackICE Defender for Server 2.9 on Microsoft Windows 2000 and XP
BlackICE Agent for Workstation 3.0 and 3.1 on Microsoft Windows 2000 and XP
BlackICE Agent for Server 3.0 and 3.1 on Microsoft Windows 2000 and XP
* RealSecure Server Sensor 6.0.1 and 6.5 on Microsoft Windows 2000
BlackICE Sentry and BlackICE Guard are not affected by this
vulnerability.
* Note: This attack yields inconsistent results against RealSecure
Server Sensor systems.
Recommendations:
Internet Security Systems has developed and is testing a fix for this
vulnerability that will be available as soon as possible. This alert
will be updated as soon as patches are available. BlackICE Defender
customers can install Defender updates by clicking on the "Tools" menu,
and then the "Download Updates" button. Corporate users of BlackICE
Agent can install updates centrally using the the ICEcap Management
Console, or manually on individual systems.
BlackICE Agent Workaround:
Internet Security Systems recommends that ICEcap administrators apply
the following workaround for BlackICE Agent until a patch is made
available. Apply the following rule within the ICEcap Manager to block
ICMP Echo Requests on all managed agents:
1. Select the Firewall Rule Set to be modified.
2. Click "Add Setting" to the right of Firewall Rules.
3. Change Type to ICMP.
4. Enter "8:0" in the Rule Specification window.
5. Ensure that Reject is selected in the Setting window.
6. Click "Save Settings".
This will add a rule to the policy on ICEcap to block all Echo Requests
on Agents reporting to the group and using that policy.
BlackICE Defender Workaround:
Internet Security Systems recommends that BlackICE Defender users apply
the following workaround until a patch is made available. Apply the
following rule to block ICMP Echo Requests.
1. Open the firewall.ini file.
2. Under the [MANUAL ICMP ACCEPT] section, add the following line:
REJECT, 8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI
3. Save the firewall.ini file.
4. The next time you open BlackICE, click OK when the following a pop-up
window appears: "A configuration file change was detected."
RealSecure Server Sensor Workaround:
Internet Security Systems RealSecure Server Sensor customers can
configure Server Sensor to block ICMP packets using the following steps.
X-Force recommends that administrators investigate the implications of
blocking ICMP in their environments before applying this rule.
1. Open the Server Sensor policy to which you want to add this rule.
2. Select the Protect tab, open the Protect folder, and then open the
Firecell folder.
3. Select the ICMP Inbound section.
4. Click Add to create a new rule.
5. Type a name for the firecell rule, such as Block_ICMP, and then
click OK.
The new rule is added to the policy in the ICMP Inbound section.
6. Select the rule that you just created.
The properties of the rule appear in the right pane.
7. Set the priority of the event in the Priority box.
8. Leave the IP address field blank.
9. In the Actions section, select Action (3) Not in the range of listed
IP addresses, drop the packet and generate the selected responses.
10. In the Response section, select the responses you want the sensor
to take when this rule is triggered.
11. Save and apply the policy to the sensor.
Additional Information:
ISS Download Center (for BlackICE Agent and RealSecure Server Sensor
updates),
http://www.iss.net/eval/eval.php
BlackICE Product Download page (for BlackICE Defender updates),
http://www.networkice.com/downloads/index.html
ISS X-Force Database,
http://xforce.iss.net/static/8058.php
This alert is available at:
http://xforce.iss.net/alerts/advise109.php
[Note: It may take up to 24 hours from the original posting of this
alert for it to appear on the Web site.]
Revision History:
2/5/02: Updated affected versions and recommendations sections.
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East. For more information, visit the Internet Security
Systems Web site at <www.iss.net> or call 888-901-7477.
Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of
this information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBPGBp5zRfJiV99eG9AQHOrwQAqzRpH+ZsVGkpnu46VWA1v52lzLZcx2wu
sYOt8es+cl1PGkyqNUOaOxf/hg435ZAb/xma3fafX+iV+y51ixw4b/QmUB5B1AJ6
dIK0m0N0ZZwXCEfTrZvuS0G3v4cW/f4ecW/CDo+RVP4CkcJvxS56kR7cn7tvnTOM
tqtC3jx5b8Q=
=5QXd
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPGKwMih9+71yA2DNAQFoZQQAjavq1MwjkSLtqZeQ6ZAHoFXDptcC2wTt
M7+Zxo3Cx7MLe6MY/JoGZJbEhslrJ8kSR6k3c1VUktQ17jwD3N+/OgcwFFadHZP8
JjPMD9b2Ndrjn0Y1Ypw1XYbz+mbTBgnrlPwQAgJ569aiCNNQup4ckxxqyokLJCf0
OwYvoS9WAus=
=B6es
-----END PGP SIGNATURE-----
|