SecuriTeam - Remote Denial of Service Vulnerability in BlackICE Products

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

ISS X-Force has announced a denial of service vulnerability that may allow remote attackers to crash or disrupt affected versions of BlackICE Defender and BlackICE Agent desktop firewall/intrusion protection products, and affected versions of RealSecure Server Sensor.

Credit:
The information has been provided by Matt Taylor and X-Force.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Affected Versions:
* BlackICE Defender 2.9 on Microsoft Windows 2000 and XP
* BlackICE Defender for Server 2.9 on Microsoft Windows 2000 and XP
* BlackICE Agent for Workstation 3.0 and 3.1 on Microsoft Windows 2000 and XP
* BlackICE Agent for Server 3.0 and 3.1 on Microsoft Windows 2000 and XP
* RealSecure Server Sensor 6.0.1 and 6.5 on Microsoft Windows 2000

BlackICE Sentry and BlackICE Guard are not affected by this vulnerability.

* Note: This attack yields inconsistent results against RealSecure Server Sensor systems.

All current versions of BlackICE Defender, BlackICE Agent, and RealSecure Server Sensor running on Windows 2000 or Windows XP can be remotely crashed using a modified ping flood attack. The vulnerability is caused by a flaw in the routines used for capturing transmitted packets. Memory can be overwritten in such a manner that may cause the engine to crash or to behave in an unpredictable manner.

The risk of this vulnerability to corporate users is minimal, because most corporate firewalls already block ICMP from external IP addresses. Systems located behind a corporate firewall are unlikely to be affected by ICMP-based attacks.

Exploit:
Setting the packet size to about 10,000 bytes causes a Blue Screen of Death (or immediate system reboot).

Recommendations:
Internet Security Systems has developed and is testing a fix for this vulnerability that will be available as soon as possible. This alert will be updated as soon as patches are available. BlackICE Defender customers can install Defender updates by clicking on the "Tools" menu, and then the "Download Updates" button. Corporate users of BlackICE Agent can install updates centrally using the the ICEcap Management Console, or manually on individual systems.

BlackICE Agent workaround:
Internet Security Systems recommends that ICEcap administrators apply the following workaround for BlackICE Agent until a patch is made available. Apply the following rule within the ICEcap Manager to block ICMP Echo Requests on all managed agents:

1. Select the Firewall Rule Set to be modified.
2. Click "Add Setting" to the right of Firewall Rules.
3. Change Type to ICMP.
4. Enter "8:0" in the Rule Specification window.
5. Ensure that Reject is selected in the Setting window.
6. Click "Save Settings".

This will add a rule to the policy on ICEcap to block all Echo Requests on Agents reporting to the group and using that policy.

BlackICE Defender workaround:
Internet Security Systems recommends that BlackICE Defender users apply the following workaround until a patch is made available. Apply the following rule to block ICMP Echo Requests.

1. Open the firewall.ini file.
2. Under the [MANUAL ICMP ACCEPT] section, add the following line: REJECT, 8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI
3. Save the firewall.ini file.
4. The next time you open BlackICE, click OK when the following a pop-up window appears: "A configuration file change was detected."

RealSecure Server Sensor workaround:
Internet Security Systems RealSecure Server Sensor customers can configure Server Sensor to block ICMP packets using the following steps. X-Force recommends that administrators investigate the implications of blocking ICMP in their environments before applying this rule.

1. Open the Server Sensor policy to which you want to add this rule.
2. Select the Protect tab, open the Protect folder, and then open the Firecell folder.
3. Select the ICMP Inbound section.
4. Click Add to create a new rule.
5. Type a name for the Firecell rule, such as Block_ICMP, and then click OK. The new rule is added to the policy in the ICMP Inbound section.
6. Select the rule that you just created. The properties of the rule appear in the right pane.
7. Set the priority of the event in the Priority box.
8. Leave the IP address field blank.
9. In the Actions section, select Action (3) Not in the range of listed IP addresses, drop the packet, and generate the selected responses.
10. In the Response section, select the responses you want the sensor to take when this rule is triggered.
11. Save and apply the policy to the sensor.

	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability
	Internet Explorer Multiple Remote Code Execution Vulnerabilities
	Windows Media Player ASF File Remote Code Execution