Date: 19 December 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0924 -- [Win]
Multiple Vulnerabilities in Mandiant First Response
19 December 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: MANDIANT First Response versions prior to 1.1.1
Publisher: Symantec
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-6477 CVE-2006-6476 CVE-2006-6475
Original Bulletin:
http://www.symantec.com/enterprise/research/SYMSA-2006-013.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2006-013
Advisory Title: Multiple Vulnerabilities in Mandiant First Response
Author: Brian Reilly / brian_reilly@symantec.com
Release Date: 18-12-2006
Application: Mandiant First Response 1.1
Platform: Windows 2000/XP/2003
Severity: Multiple -- Denial of Service, Data Manipulation, Client/Server
Hijacking
Vendor status: New Version of product available
CVE Number: CVE-2006-6475, CVE-2006-6476, CVE-2006-6477
Reference: http://www.securityfocus.com/bid/21548
Overview:
Mandiant First Response is an incident response tool to collect system
information such as running processes, system services, registry
information, event logs, and file lists from a local or remote host. The
First Response agent (FRAgent.exe) can be installed and configured as a
daemon on target hosts in order to collect information remotely via a
First Response Command Console. Multiple vulnerabilities exist that could
lead to a variety of attack payloads. Agents running in either HTTP or
SSL mode are vulnerable to denial of service and server hijacking
conditions. The server hijacking vulnerability present in HTTP agents can
be further leveraged to allow a rogue process to intercept and modify
legitimate agent/console communication, and force a Command Console to
download arbitrary content and visit arbitrary URLs.
Details:
Vulnerability #1: Denial of Service against an SSL agent through malformed
client requests
When run in daemon mode, the First Response agent (FRAgent.exe) accepts
remote connections from a First Response console via HTTP or a modified
HTTPS implementation. By sending a series of specially-crafted requests
to an SSL-enabled agent, it is possible to force the agent to throw an
exception that is not properly handled. After this occurs, the agent's
sockets will enter an indefinite CLOSE_WAIT state and all subsequent
connection attempts will be refused. The service then must be restarted
in order to recover and accept connections again.
Vulnerability #2: Denial of Service against an HTTP or SSL agent through
Agent hijacking
An FRAgent daemon permits other processes to bind to the same socket
addresses on which it is already listening. If FRAgent is bound to a
0.0.0.0 wildcard address ("all interfaces"), a rogue process can intercept
client connections by subsequently binding to the same port on a specific
IP address. By hijacking an agent with a non-responsive listener, an
attacker can effectively prevent all legitimate client connections.
Vulnerability #3: Command Console and Data Manipulation through HTTP
Agent Hijacking
If an HTTP FRAgent daemon is hijacked, the attacker can control the response
data sent to and processed by a client, as well as other aspects of client
behavior. A rogue process can conduct a man-in-the-middle attack to
redirect and modify all requests and responses between the client and a
legitimate agent. The attacker can also send specially-crafted HTTP
responses that force the client to visit arbitrary URLs and/or download
arbitrary content. (NOTE: The use of HTTPS/SSL is default behavior for First
Response; using cleartext HTTP requires manual configuration.)
Vendor Response:
Mandiant has confirmed the reports provided by Symantec and updated
Mandiant First Response (MFR) to correct these issues. Version 1.1.1 is now
available for download from
http://www.mandiant.com/firstresponse.htm. Mandiant advises all
users of MFR to upgrade to 1.1.1 as soon as possible. Registered
users of the software have been notified via email of availability
of the upgrade.
During the course of our review we noted the following addenda to
Symantec's analysis:
Vulnerability 1: The DoS condition was due to a design error where
the Agent would choose to exit upon receipt of a malformed request.
The exit was an explicit choice exercised by the code path and not
caused by a buffer overflow or heap corruption. Version 1.1.1
addresses the explicit exit condition and correctly handles
requests with malformed payloads, allowing the MFR Agent to
continue operation while correctly rejecting malformed requests.
Vulnerability 2 and 3: The vulnerabilities are present because the
MFR Agent opens its listening port in non-exclusive mode. Version
1.1.1 correctly opens the port as exclusive, preventing the
multiple-bind condition.
Mandiant would like to thank Brian Reilly and Scott King for
discovering and notifying us of these vulnerabilities, and Symantec
for their participation in public disclosure.
Recommendation:
Upgrade to MFR version 1.1.1, available at
http://www.mandiant.com/firstresponse.htm.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2006-6475, CVE-2006-6476, CVE-2006-6477
- - -------Symantec Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research@symantec.com
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/
Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc
- - -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com
For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
- - ---------------------------------------------------------------
Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from cs_advisories@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFgaecuk7IIFI45IARAg3oAJ9SwOll1ACKiUVE+bxq4gaBYe5KPQCeMZGJ
d0+CXnzUBbhj51j9rvqGF7k=
=E8pd
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRYdhKih9+71yA2DNAQI+sAP+LWXwIJWsC5vdWccQnXIZZB2EiuEl0WpB
hKRR7xpTCnPzbC9TTybrll941SDxsoQXPVWi0lwSaHPvwjp5SfuDL/L6Uwl6XTtm
XyihehIS/jk8Puyp6H56udxGpgU39onMIXeYqoQaYRZfQ5JEM/CF+6Qk1hizbqdN
rdCx+M3TN6c=
=+AUJ
-----END PGP SIGNATURE-----
|