NSFOCUS SA2006-07 : ISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability

2006-07-28T00:00:00
ID SECURITYVULNS:DOC:13660
Type securityvulns
Reporter Securityvulns
Modified 2006-07-28T00:00:00

Description

NSFOCUS Security Advisory (SA2006-07)

ISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability

Release Date: 2006-07-27

CVE ID: CVE-2006-3840

http://www.nsfocus.com/english/homepage/research/0607.htm

Affected systems & software

RealSecure Network Sensor 7.0 Proventia A Series Proventia G Series Proventia M Series RealSecure Server Sensor 7.0 Proventia Server RealSecure Desktop 7.0 Proventia Desktop BlackICE PC Protection 3.6 BlackICE Server Protection 3.6

Unaffected systems & software

Summary

NSFocus Security Team discovered a remote DoS vulnerability in ISS RealSecure/ BlackICE products lines' detection of MailSlot Heap Overflow (MS06-035). By sending a specific SMB MailSlot packet it's possible to cause DoS in ISS protection products.

Description

There is a DoS vulnerability in ISS protection products' detection of SMB_MailSlot_Heap_Overflow (MS06-035/KB917159). By sending a specific SMB MailSlot packet it's possible to cause an infinite loop to occur in the detection code, and the ISS product or even the operating system will stop to respond. For example, for BlackICE the vulnerability might cause the inerruption of the network traffic, and an approximately 100% CPU utilization. STOP BlackICE engine will not restore normal operation. Instead OS restart is required.

This vulnerability can be triggered by a single packet. The establishment of a real SMB session is not required.

Workaround

Block ports TCP/445 and TCP/139 at the firewall.

Vendor Status

2006.07.24 Informed the vendor 2006.07.25 Vendor confirmed the vulnerability 2006.07.26 ISS has released a security alert and related patches.

For more details about the security alert, please refer to: http://xforce.iss.net/xforce/alerts/id/230

ISS has released the following XPUs to fix this vulnerability:

RealSecure Network 7.0, XPU 24.40 Proventia A Series, XPU 24.40 Proventia G Series, XPU 24.40/1.79 Proventia M Series, XPU 1.79 RealSecure Server Sensor 7.0, XPU 24.40 Proventia Server 1.0.914.1880 RealSecure Desktop 7.0 epk Proventia Desktop 8.0.812.1790/8.0.675.1790 BlackICE PC Protection 3.6 cpk BlackICE Server Protection 3.6 cpk

Additional Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-3840 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries.

Acknowledgment

Chen Qing of NSFocus Security Team found the vulnerability.

DISCLAIMS

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <security@nsfocus.com> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA