TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Fixes from Patches 3.2.3 and 3.2.4 are included in 3.2.5. So if you have RS 3.2.2 - you only need to apply 3.2.5. Audra -----Original Message----- From: Ferrari, Carla [mailto:[EMAIL PROTECTED]] Sent: Friday, September 08, 2000 12:10 PM To: '[EMAIL PROTECTED]' Subject: Re: ISS Official Response to Modulo Security Bulletin: DOS on Rea lSec ure TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- I downloaded the patch and read the release notes. It makes mention of patch descriptions for 3.2.3 and 3.2.4 as well as 3.2.5. Are these additional patches included in the 3.2.5 patch or are they separate and available elsewhere? Carla Ferrari TIAA-CREF -----Original Message----- From: Eng, Audra [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 07, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: ISS Official Response to Modulo Security Bulletin: DOS on RealSec ure TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- This is an official response from ISS on the BUGTRAQ Security Bulletin reported by Modulo - an ISS Brazil Competitor. We have contacted Modulo on getting the exploit they used for the vulnerabilities reported, however we have only been able to confirm one out of two issues detailed in the bulletin based on the information they have sent us. The typical protocol used in the Security Field and by our X-Force in identifying vulnerabilities and working with vendors to get a fix or patch out is: Notify the vendor first, work with the vendor in providing the exploit used, release a security bulletin in a timely manner, and provide the fix information released by the vendor. We have currently identified and can only confirm the following based on exploit information in the security bulletin and what we have received from Modulo and ISS research of the issues: (1) A patch for Network Sensor 3.2.2 is available to fix the Syn Flood issue. You must have an updated maintenance license BEFORE downloading and installing this patch. Please read the release notes FIRST before installing. The patch can be downloaded at: ftp://ftp.iss.net/private/support/patch/realsecure32/ (2) RealSecure 5.0 is not affected by the Syn Flood issue brought up in the security bulletin, and we have not yet been able to verify, reproduce, or find conclusive evidence that the IP Frag decode issue reported is accurate for either RealSecure 3.2.2 or 5.0. We will continue to work on this issue, and look for additional information from Modulo on this. If you have questions or concerns, please email Technical Support at [EMAIL PROTECTED] =================================================================== Bulletin #: 243 Title: Denial of Service RealSecure Information Date: 8/4/00 Product: Realsecure Company: ISS - Internet Security Systems Issued by: M�dulo Security Labs Abstract: The Modulo Security Labs Team found during a test program two ways to stop the ISS RealSecure 3.2.x engine. The engine is the responsible for the duty of checking and logging packets. The exploit is very simple to be reproduced and protection measures must be adopted. Tested systems: 3.2.1 Solaris - Vulnerable 3.2.2 Solaris - Vulnerable 3.2.1 WinNT - Vulnerable Solution: The tests with the Solaris version indicates that disabling the SynFlood and IPFRAG attacks detection can avoid the 'network_engine' process failure. Exploit: A failure in the treatment of fragmented packets with the SYN flag setted causes the immediate failure in the RealSecure engine, disabling the intrusion detection. On the Solaris version of RealSecure the engine process ('network_engine') is disabled, causing a core dump memory file creation. The event is immediately reported through the RealSecure console. On the NT version, the engine service file ('network_engine.exe') has a little different bug. The service, after being crashed, restarts immediately, generating just a Windows NT Application Log event. The tests showed that a big and continuous stream of the these packets (SYN Flood) can take the processor load up to 100%. During this attack, RealSecure could not identify any other type of attack. The tests showed that the Solaris version have an additional vulnerability on the SYN packets treatment. With a SYN Flood attack with specific IP flags setted it is possible to disable the engine in the same way as described above. A 50 packets per minute attack was enough to cause the flaw in a simulation. On both versions (NT and Solaris) the console could not report the fragmented attack. The NT version can identify the fragmented SYN attack as a simple SYN Flood. Additional Information: A detailed version of this advisory will be issued as soon ISS fix the product. Modulo Security Labs - Modulo Security Solutions http://www.modulo.com.br/
