TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
This is an official response from ISS on the BUGTRAQ
Security Bulletin reported by Modulo - an ISS Brazil Competitor. We have
contacted Modulo on getting the exploit they used for the vulnerabilities
reported, however we have only been able to confirm one out of two issues
detailed in the bulletin based on the information they have sent us.
The typical protocol used in the Security Field and by our
X-Force in identifying vulnerabilities and working with vendors to get a fix
or patch out is: Notify the vendor first, work with the vendor in providing
the exploit used, release a security bulletin in a timely manner, and
provide the fix information released by the vendor.
We have currently identified and can only confirm the
following based on exploit information in the security bulletin and what we
have received from Modulo and ISS research of the issues:
(1) A patch for Network Sensor 3.2.2 is available to fix the
Syn Flood issue. You must have an updated maintenance license BEFORE
downloading and installing this patch. Please read the release notes FIRST
before installing. The patch can be downloaded at:
ftp://ftp.iss.net/private/support/patch/realsecure32/
(2) RealSecure 5.0 is not affected by the Syn Flood issue
brought up in the security bulletin, and we have not yet been able to
verify, reproduce, or find conclusive evidence that the IP Frag decode issue
reported is accurate for either RealSecure 3.2.2 or 5.0. We will continue
to work on this issue, and look for additional information from Modulo on
this.
If you have questions or concerns, please email Technical
Support at [EMAIL PROTECTED]
===================================================================
Bulletin #: 243
Title: Denial of Service RealSecure
Information Date: 8/4/00
Product: Realsecure
Company: ISS - Internet Security Systems
Issued by: M�dulo Security Labs
Abstract:
The Modulo Security Labs Team found during a test program
two ways to stop the ISS RealSecure 3.2.x engine. The engine is the
responsible for the duty of checking and logging packets. The exploit is
very simple to be reproduced and protection measures must be adopted.
Tested systems:
3.2.1 Solaris - Vulnerable
3.2.2 Solaris - Vulnerable
3.2.1 WinNT - Vulnerable
Solution:
The tests with the Solaris version indicates that disabling
the SynFlood and IPFRAG attacks detection can avoid the 'network_engine'
process failure.
Exploit:
A failure in the treatment of fragmented packets with the
SYN flag setted causes the immediate failure in the RealSecure engine,
disabling the intrusion detection.
On the Solaris version of RealSecure the engine process
('network_engine') is disabled, causing a core dump memory file creation.
The event is immediately reported through the RealSecure console.
On the NT version, the engine service file
('network_engine.exe') has a
little different bug. The service, after being crashed,
restarts immediately, generating just a Windows NT Application Log event.
The tests showed that a big and continuous stream of the these packets (SYN
Flood) can take the processor load up to 100%. During this attack,
RealSecure could not identify any other type of attack.
The tests showed that the Solaris version have an additional
vulnerability on the SYN packets treatment. With a SYN Flood attack with
specific IP flags setted it is possible to disable the engine in the same
way as described above. A 50 packets per minute attack was enough to cause
the flaw in a simulation.
On both versions (NT and Solaris) the console could not
report the
fragmented attack. The NT version can identify the
fragmented SYN attack as a simple SYN Flood.
Additional Information:
A detailed version of this advisory will be issued as soon
ISS fix the
product.
Modulo Security Labs - Modulo Security Solutions
http://www.modulo.com.br/
