ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability
BID:1597
Info
ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability
| Bugtraq ID: | 1597 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: |
CVE-2000-0692 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 22 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | Posted to bugtraq in a Modulo Security Labs advisory by Andre Fucs de Miranda <[email protected]>. |
| Vulnerable: |
Internet Security Systems RealSecure 3.2 |
| Not Vulnerable: | |
Discussion
ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability
ISS RealSecure 3.2.x can be disabled remotely via fragmented packets with the SYN flag set.
On NT, after crashing the service will restart, and generates an Application Log event. If the packets are continuosly resent, detection is effectively halted while the service repeatedly restarts.
On Solaris, the process crashes, all detection stops, and a report is generated to the console. Also, on Solaris it is possible to crash the process with a flood of unfragmented packets if certain flgas (in addition to SYN) are set.
ISS RealSecure 3.2.x can be disabled remotely via fragmented packets with the SYN flag set.
On NT, after crashing the service will restart, and generates an Application Log event. If the packets are continuosly resent, detection is effectively halted while the service repeatedly restarts.
On Solaris, the process crashes, all detection stops, and a report is generated to the console. Also, on Solaris it is possible to crash the process with a flood of unfragmented packets if certain flgas (in addition to SYN) are set.
Exploit / POC
ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability
Solution:
The official response from ISS on this issue is as follows:
We have currently identified and can confirm the
following based on exploit information in the security bulletin and what
we have received from Modulo and ISS research of the issues:
(1) A patch for Network Sensor 3.2.2 is available to
fix the Syn Flood issue. You must have an updated maintenance license
before downloading and installing this patch. Please read the release
notes first before installing. The patch can be downloaded at:
ftp://ftp.iss.net/private/support/patch/realsecure32/
(2) RealSecure 5.0 is not affected by the Syn Flood
issue brought up in the security bulletin,
(3) The command provided by Modulo produces a flood
of ipfrag events (thus throttling the console), but does not otherwise
affect the engine. RealSecure Network Sensor 5.0 contains a filter on the
ipfrag event which prevents it from being logged more than once per source
ip / destination ip pair.
Since RealSecure Network Sensor 3.2 supports the
advanced dialog through the console's policy editor, the ipfrag event can
be tweaked to also use these same filter settings, preventing the console
flood:
same_source_ip
same_destinaion_ip
protect_from_flood
Solution:
The official response from ISS on this issue is as follows:
We have currently identified and can confirm the
following based on exploit information in the security bulletin and what
we have received from Modulo and ISS research of the issues:
(1) A patch for Network Sensor 3.2.2 is available to
fix the Syn Flood issue. You must have an updated maintenance license
before downloading and installing this patch. Please read the release
notes first before installing. The patch can be downloaded at:
ftp://ftp.iss.net/private/support/patch/realsecure32/
(2) RealSecure 5.0 is not affected by the Syn Flood
issue brought up in the security bulletin,
(3) The command provided by Modulo produces a flood
of ipfrag events (thus throttling the console), but does not otherwise
affect the engine. RealSecure Network Sensor 5.0 contains a filter on the
ipfrag event which prevents it from being logged more than once per source
ip / destination ip pair.
Since RealSecure Network Sensor 3.2 supports the
advanced dialog through the console's policy editor, the ipfrag event can
be tweaked to also use these same filter settings, preventing the console
flood:
same_source_ip
same_destinaion_ip
protect_from_flood
References
ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability
References:
References: