TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Any news about this vulnerability?
I have checked ISS's Web Site but no official statement...
Yannick Antoine
Network Security Engineer
Clearstream Services
tel: +352 46 56 42 647
fax: +352 46 56 49 2647
mailto:[EMAIL PROTECTED]
-----Original Message-----
From: Palmer, Paul (ISSAtlanta) [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 28, 2000 21:16
To: 'Manuel Gil'; [EMAIL PROTECTED]
Subject: RE: DOS attack over RealSecure 3.2.x
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Here is my unofficial understanding of the issue (as a RealSecure
engineer):
The group that reported the problem to Bugtraq, "Modulo Security
Labs", has not been responsive to our attempts (the last I heard on
Friday) to contact them. Therefore we have been unable to confirm
their statements (or reproduce their results).
Regardless, we are taking their claims very seriously and have
performed a code review of RealSecure 3.2.x and RealSecure 5.0 looking
for potential problems processing the type of network traffic they
describe. I would expect that we (Internet Security Systems) will
release an official statement sometime this week.
Paul
- -----Original Message-----
From: Manuel Gil [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 28, 2000 5:37 AM
To: [EMAIL PROTECTED]
Subject: Re: DOS attack over RealSecure 3.2.x
Hi Again.
Excuse me, but this notice is not interesting?, I really want to know
if this kind of attack could be used to attack the Real Secure Engine
in
stealth mode?
ISS people nothing to say?
Manuel Gil wrote:
>
> Hi all.
>
> Today I have seen a new vulnerability in the BugTrack List over the
> RealSecure Network Engine v.3.2.x.
>
> ISS RealSecure 3.2.x can be disabled remotely via fragmented
packets
> with the SYN flag set.
>
> On NT, after crashing the service will restart, and generates an
> Application Log event. If the packets are continuosly resent,
detection
> is effectively halted while the service repeatedly restarts.
>
> On Solaris, the process crashes, all detection stops, and a report
is
> generated to the console. Also, on Solaris it is possible to crash
the
> process with a flood of unfragmented packets if certain flgas (in
> addition to SYN) are set.
>
> You could see this entry in the SecurityFocus WEB Site or in the
> BugTrack List. My question is.
>
> Could this vunerability affect too the RealSecure in the steelth
mode?.
>
> Thanks.
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /\ Manuel Gil
> \\ \ System Engineer
> \ \\ / E-mail: [EMAIL PROTECTED]
> / \/ / /
> / / \//\
> \//\ / / Sun Microsystems Iberica
> / / /\ / Torre Picasso
> / \\ \ Planta 27
> \ \\ Madrid Tel: 34-91-5969900
> \/ Espa�a Fax: 34-91-5564097
> Movil: 699 064 742
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/\ Manuel Gil
\\ \ System Engineer
\ \\ / E-mail: [EMAIL PROTECTED]
/ \/ / /
/ / \//\
\//\ / / Sun Microsystems Iberica
/ / /\ / Torre Picasso
/ \\ \ Planta 27
\ \\ Madrid Tel: 34-91-5969900
\/ Espa�a Fax: 34-91-5564097
Movil: 699 064 742
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5
iQCVAwUBOaq63oSi4VqTDp53AQFHIgQAgTYIa6BByeFpVlkqmJ2RCNCOzz57JGAU
fzR67+0JsrfXiX+6Y2YuyoUxt5bTAFhSeFmspBLXvhmwxkmafhZGPTSULJkBzHnn
5k/Bc4x3R1eL+UK7Sj+ugPSeTQUffHteyWdJmMK8e8PnueOQub2Y8h792RTqRRTd
Qm+FUT5jmKs=
=bMlP
-----END PGP SIGNATURE-----
