TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert February 4, 2002 Last Revised: February 8, 2002 DoS and Potential Overflow Vulnerability in BlackICE Products Synopsis: ISS X-Force is aware of a denial of service vulnerability that may allow remote attackers to crash or disrupt affected versions of BlackICE Defender and BlackICE Agent desktop firewall/intrusion protection products, and affected versions of RealSecure Server Sensor. X-Force has learned that it may be possible for remote attackers to exploit this vulnerability to execute arbitrary code on targeted computers. Description: Affected versions of BlackICE Defender, BlackICE Agent, and RealSecure Server Sensor running on Windows 2000 or Windows XP can be remotely crashed using a modified ping flood attack. The vulnerability is caused by a flaw in the routines used for capturing transmitted packets. Memory can be overwritten in such a manner that may cause the engine to crash or to behave in an unpredictable manner. It may be possible for attackers to control which areas of memory are overwritten, leading to the execution of arbitrary code. The risk of this vulnerability to corporate users is minimal, because most corporate firewalls already block ICMP from external IP addresses. Systems located behind a corporate firewall are unlikely to be affected by ICMP-based attacks. Affected Versions: BlackICE Defender 2.9 on Microsoft Windows 2000 and XP BlackICE Defender for Server 2.9 on Microsoft Windows 2000 and XP BlackICE Agent for Workstation 3.0 and 3.1 on Microsoft Windows 2000 and XP BlackICE Agent for Server 3.0 and 3.1 on Microsoft Windows 2000 and XP * RealSecure Server Sensor 6.0.1 and 6.5 on Microsoft Windows 2000 * Note: This attack yields inconsistent results against RealSecure Server Sensor systems. The following products are NOT vulnerable: BlackICE Sentry BlackICE Guard RealSecure Network Sensor BlackICE Agent (for Server and Workstation), prior to version 3.0 BlackICE Defender (and BlackICE Defender for Server), prior to version 2.9 RealSecure Server Sensor, prior to version 6.0.1 Recommendations: Internet Security Systems has developed and is testing fixes for this vulnerability. Some patches are available now (see patch status below). This alert will be updated as soon as additional patches are available. BlackICE Defender Patch Release version 2.9.car is available at: http://www.iss.net/support/consumer/BI_downloads.php BlackICE Agent This patch will be available soon at the ISS Downloads Web site. RealSecure Server Sensor 6.0.1 Service Release 1.1 will be available soon at the ISS Downloads Web site. RealSecure Server Sensor 6.5 Service Release 3.1 will be available soon at the ISS Downloads Web site. BlackICE Defender customers can install Defender updates by clicking on the "Tools" menu, and then the "Download Updates" button. Corporate users of BlackICE Agent can install updates centrally using the the ICEcap Management Console, or manually on individual systems. If you cannot apply the patch, use the workaround below that is appropriate for your system. BlackICE Agent Workaround: Internet Security Systems recommends that ICEcap administrators apply the following workaround for BlackICE Agent until a patch is made available. Apply the following rule within the ICEcap Manager to block ICMP Echo Requests on all managed agents: 1. Select the Firewall Rule Set to be modified. 2. Click "Add Setting" to the right of Firewall Rules. 3. Change Type to ICMP. 4. Enter "8:0" in the Rule Specification window. 5. Ensure that Reject is selected in the Setting window. 6. Click "Save Settings". This will add a rule to the policy on ICEcap to block all Echo Requests on Agents reporting to the group and using that policy. BlackICE Defender Workaround: Internet Security Systems recommends that BlackICE Defender users apply the following workaround until a patch is made available. Apply the following rule to block ICMP Echo Requests. 1. Open the firewall.ini file. 2. Under the [MANUAL ICMP ACCEPT] section, add the following line: REJECT, 8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI 3. Save the firewall.ini file. 4. The next time you open BlackICE, click OK when the following a pop-up window appears: "A configuration file change was detected." RealSecure Server Sensor Workaround: Internet Security Systems RealSecure Server Sensor customers can configure Server Sensor to block ICMP packets using the following steps. X-Force recommends that administrators investigate the implications of blocking ICMP in their environments before applying this rule. 1. Open the Server Sensor policy to which you want to add this rule. 2. Select the Protect tab, open the Protect folder, and then open the Firecell folder. 3. Select the ICMP Inbound section. 4. Click Add to create a new rule. 5. Type a name for the firecell rule, such as Block_ICMP, and then click OK. The new rule is added to the policy in the ICMP Inbound section. 6. Select the rule that you just created. The properties of the rule appear in the right pane. 7. Set the priority of the event in the Priority box. 8. Leave the IP address field blank. 9. In the Actions section, select Action (3) Not in the range of listed IP addresses, drop the packet and generate the selected responses. 10. In the Response section, select the responses you want the sensor to take when this rule is triggered. 11. Save and apply the policy to the sensor. Additional Information: ISS Download Center, http://www.iss.net/download BlackICE Defender Downloads, http://www.iss.net/support/consumer/BI_downloads.php ISS X-Force Database, http://www.iss.net/security_center/static/8058.php This alert is available at: http://www.iss.net/security_center/alerts/advise109.php Revision History: 2/5/02: Updated affected versions and recommendations sections. 2/8/02: Updated synopsis, description, and recommendations sections. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. For more information, visit the Internet Security Systems Web site at <www.iss.net> or call 888-901-7477. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBPGRmLDRfJiV99eG9AQHSdgP/QocDgzKv79cqvxI3kPzP8pbF5eL1gc7I S/NZuOvk9ZLVDjtfflHHJaf+E3yQ6qVJlr4qULy+t8MpVGhBEHdzX9DNIINjOJpf oWA0I/5DexbmMQ6JHOMn8pn+msakIfBhxIL7TFmzlNAmjFazKtHZ0lA5hGhqt58S pxHOndS+F6I= =7y29 -----END PGP SIGNATURE-----
