|
|
|
|
| |
Credit:
The information has been provided by Brian Reilly.
The original article can be found at: http://www.securityfocus.com/bid/21548
|
| |
Vulnerable Systems:
* MFR version 1.1.0 and prior
Immune Systems:
* MFR version 1.1.1
Vulnerability #1: Denial of Service against an SSL agent through malformed client requests
When run in daemon mode, the First Response agent (FRAgent.exe) accepts remote connections from a First Response console via HTTP or a modified HTTPS implementation. By sending a series of specially-crafted requests to an SSL-enabled agent, it is possible to force the agent to throw an exception that is not properly handled. After this occurs, the agent's sockets will enter an indefinite CLOSE_WAIT state and all subsequent connection attempts will be refused. The service then must be restarted in order to recover and accept connections again.
Vulnerability #2: Denial of Service against an HTTP or SSL agent through Agent hijacking
An FRAgent daemon permits other processes to bind to the same socket addresses on which it is already listening. If FRAgent is bound to a 0.0.0.0 wildcard address ("all interfaces"), a rogue process can intercept client connections by subsequently binding to the same port on a specific IP address. By hijacking an agent with a non-responsive listener, an attacker can effectively prevent all legitimate client connections.
Vulnerability #3: Command Console and Data Manipulation through HTTP Agent Hijacking
If an HTTP FRAgent daemon is hijacked, the attacker can control the response data sent to and processed by a client, as well as other aspects of client behavior. A rogue process can conduct a man-in-the-middle attack to redirect and modify all requests and responses between the client and a legitimate agent. The attacker can also send specially-crafted HTTP responses that force the client to visit arbitrary URLs and/or download arbitrary content. (NOTE: The use of HTTPS/SSL is default behavior for First Response; using cleartext HTTP requires manual configuration.)
Vendor Response:
Mandiant has confirmed the reports provided by Symantec and updated Mandiant First Response (MFR) to correct these issues. Version 1.1.1 is now available for download from http://www.mandiant.com/firstresponse.htm. Mandiant advises all users of MFR to upgrade to 1.1.1 as soon as possible. Registered users of the software have been notified via email of availability of the upgrade.
During the course of our review we noted the following addenda to Symantec's analysis:
Vulnerability 1: The DoS condition was due to a design error where the Agent would choose to exit upon receipt of a malformed request. The exit was an explicit choice exercised by the code path and not caused by a buffer overflow or heap corruption. Version 1.1.1 addresses the explicit exit condition and correctly handles requests with malformed payloads, allowing the MFR Agent to continue operation while correctly rejecting malformed requests.
Vulnerability 2 and 3: The vulnerabilities are present because the MFR Agent opens its listening port in non-exclusive mode. Version 1.1.1 correctly opens the port as exclusive, preventing the multiple-bind condition.
Mandiant would like to thank Brian Reilly and Scott King for discovering and notifying us of these vulnerabilities, and Symantec for their participation in public disclosure.
Recommendation:
Upgrade to MFR version 1.1.1, available at http://www.mandiant.com/firstresponse.htm.
CVE Information:
CVE-2006-6475, CVE-2006-6476, CVE-2006-6477
|
|
|
|
|
