----- Original Message ----- From: "X-Force" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 05, 2002 5:26 PM Subject: ISSalert: ISS Alert: Remote Denial of Service Vulnerability in BlackICE Products
| | TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to | [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! | -------------------------------------------------------------------------- - | | -----BEGIN PGP SIGNED MESSAGE----- | | Internet Security Systems Security Alert | February 4, 2002 | | Last Revised: February 5, 2002 | | Remote Denial of Service Vulnerability in BlackICE Products | | Synopsis: | | ISS X-Force is aware of a denial of service vulnerability that may allow | remote attackers to crash or disrupt affected versions of BlackICE | Defender and BlackICE Agent desktop firewall/intrusion protection | products, and affected versions of RealSecure Server Sensor. | | Description: | | All current versions of BlackICE Defender, BlackICE Agent, and | RealSecure Server Sensor running on Windows 2000 or Windows XP can be | remotely crashed using a modified ping flood attack. The vulnerability | is caused by a flaw in the routines used for capturing transmitted | packets. Memory can be overwritten in such a manner that may cause the | engine to crash or to behave in an unpredictable manner. | | The risk of this vulnerability to corporate users is minimal, because | most corporate firewalls already block ICMP from external IP addresses. | Systems located behind a corporate firewall are unlikely to be affected | by ICMP-based attacks. | | Affected Versions: | | BlackICE Defender 2.9 on Microsoft Windows 2000 and XP | BlackICE Defender for Server 2.9 on Microsoft Windows 2000 and XP | BlackICE Agent for Workstation 3.0 and 3.1 on Microsoft Windows 2000 and XP | BlackICE Agent for Server 3.0 and 3.1 on Microsoft Windows 2000 and XP | * RealSecure Server Sensor 6.0.1 and 6.5 on Microsoft Windows 2000 | | BlackICE Sentry and BlackICE Guard are not affected by this | vulnerability. | | * Note: This attack yields inconsistent results against RealSecure | Server Sensor systems. | | Recommendations: | | Internet Security Systems has developed and is testing a fix for this | vulnerability that will be available as soon as possible. This alert | will be updated as soon as patches are available. BlackICE Defender | customers can install Defender updates by clicking on the "Tools" menu, | and then the "Download Updates" button. Corporate users of BlackICE | Agent can install updates centrally using the the ICEcap Management | Console, or manually on individual systems. | | BlackICE Agent Workaround: | Internet Security Systems recommends that ICEcap administrators apply | the following workaround for BlackICE Agent until a patch is made | available. Apply the following rule within the ICEcap Manager to block | ICMP Echo Requests on all managed agents: | | 1. Select the Firewall Rule Set to be modified. | 2. Click "Add Setting" to the right of Firewall Rules. | 3. Change Type to ICMP. | 4. Enter "8:0" in the Rule Specification window. | 5. Ensure that Reject is selected in the Setting window. | 6. Click "Save Settings". | | This will add a rule to the policy on ICEcap to block all Echo Requests | on Agents reporting to the group and using that policy. | | BlackICE Defender Workaround: | Internet Security Systems recommends that BlackICE Defender users apply | the following workaround until a patch is made available. Apply the | following rule to block ICMP Echo Requests. | | 1. Open the firewall.ini file. | 2. Under the [MANUAL ICMP ACCEPT] section, add the following line: | REJECT, 8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI | 3. Save the firewall.ini file. | 4. The next time you open BlackICE, click OK when the following a pop-up | window appears: "A configuration file change was detected." | | RealSecure Server Sensor Workaround: | Internet Security Systems RealSecure Server Sensor customers can | configure Server Sensor to block ICMP packets using the following steps. | X-Force recommends that administrators investigate the implications of | blocking ICMP in their environments before applying this rule. | | 1. Open the Server Sensor policy to which you want to add this rule. | 2. Select the Protect tab, open the Protect folder, and then open the | Firecell folder. | 3. Select the ICMP Inbound section. | 4. Click Add to create a new rule. | 5. Type a name for the firecell rule, such as Block_ICMP, and then | click OK. | The new rule is added to the policy in the ICMP Inbound section. | 6. Select the rule that you just created. | The properties of the rule appear in the right pane. | 7. Set the priority of the event in the Priority box. | 8. Leave the IP address field blank. | 9. In the Actions section, select Action (3) Not in the range of listed | IP addresses, drop the packet and generate the selected responses. | 10. In the Response section, select the responses you want the sensor | to take when this rule is triggered. | 11. Save and apply the policy to the sensor. | | | Additional Information: | | ISS Download Center (for BlackICE Agent and RealSecure Server Sensor | updates), | http://www.iss.net/eval/eval.php | | BlackICE Product Download page (for BlackICE Defender updates), | http://www.networkice.com/downloads/index.html | | ISS X-Force Database, | http://xforce.iss.net/static/8058.php | | This alert is available at: | http://xforce.iss.net/alerts/advise109.php | [Note: It may take up to 24 hours from the original posting of this | alert for it to appear on the Web site.] | | Revision History: | | 2/5/02: Updated affected versions and recommendations sections. | | | ______ | | About Internet Security Systems (ISS) | Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a | pioneer and world leader in software and services that protect critical | online resources from an ever-changing spectrum of threats and misuse. | Internet Security Systems is headquartered in Atlanta, GA, with | additional operations throughout the Americas, Asia, Australia, Europe | and the Middle East. For more information, visit the Internet Security | Systems Web site at <www.iss.net> or call 888-901-7477. | | Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved | worldwide. | | Permission is hereby granted for the redistribution of this Alert | electronically. It is not to be edited in any way without express | consent of the X-Force. If you wish to reprint the whole or any part | of this Alert in any other medium excluding electronic medium, please | e-mail [EMAIL PROTECTED] for permission. | | Disclaimer | | The information within this paper may change without notice. Use of | this information constitutes acceptance for use in an AS IS condition. | There are NO warranties with regard to this information. In no event | shall the author be liable for any damages whatsoever arising out of or | in connection with the use or spread of this information. Any use of | this information is at the user's own risk. | | X-Force PGP Key available at: http://xforce.iss.net/sensitive.php | as well as on MIT's PGP key server and PGP.com's key server. | | Please send suggestions, updates, and comments to: X-Force | [EMAIL PROTECTED] of Internet Security Systems, Inc. | | | | | | | | | | -----BEGIN PGP SIGNATURE----- | Version: 2.6.3a | Charset: noconv | | iQCVAwUBPGBp5zRfJiV99eG9AQHOrwQAqzRpH+ZsVGkpnu46VWA1v52lzLZcx2wu | sYOt8es+cl1PGkyqNUOaOxf/hg435ZAb/xma3fafX+iV+y51ixw4b/QmUB5B1AJ6 | dIK0m0N0ZZwXCEfTrZvuS0G3v4cW/f4ecW/CDo+RVP4CkcJvxS56kR7cn7tvnTOM | tqtC3jx5b8Q= | =5QXd | -----END PGP SIGNATURE----- | | --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------