RealSecure Network Sensor 7.0
Proventia A Series
Proventia G Series
Proventia M Series
RealSecure Server Sensor 7.0
Proventia Server
RealSecure Desktop 7.0
Proventia Desktop
BlackICE PC Protection 3.6
BlackICE Server Protection 3.6
Unaffected systems & software
Summary
NSFocus Security Team discovered a remote DoS vulnerability in ISS RealSecure/
BlackICE products lines' detection of MailSlot Heap Overflow (MS06-035). By
sending a specific SMB MailSlot packet it's possible to cause DoS in ISS
protection products.
Description
There is a DoS vulnerability in ISS protection products' detection of SMB_MailSlot_Heap_Overflow
(MS06-035/KB917159). By sending a specific SMB MailSlot packet it's possible
to cause an infinite loop to occur in the detection code, and the ISS product
or even the operating system will stop to respond. For example, for BlackICE
the vulnerability might cause the inerruption of the network traffic,
and an approximately 100% CPU utilization. STOP BlackICE engine will not restore
normal operation. Instead OS restart is required.
This vulnerability can be triggered by a single packet. The establishment of
a real SMB session is not required.
Workaround
Block ports TCP/445 and TCP/139 at the firewall.
Vendor Status
2006.07.24 Informed the vendor
2006.07.25 Vendor confirmed the vulnerability
2006.07.26 ISS has released a security alert and related patches.
For more details about the security alert, please refer to:
http://xforce.iss.net/xforce/alerts/id/230
ISS has released the following XPUs to fix this vulnerability:
RealSecure Network 7.0, XPU 24.40
Proventia A Series, XPU 24.40
Proventia G Series, XPU 24.40/1.79
Proventia M Series, XPU 1.79
RealSecure Server Sensor 7.0, XPU 24.40
Proventia Server 1.0.914.1880
RealSecure Desktop 7.0 epk
Proventia Desktop 8.0.812.1790/8.0.675.1790
BlackICE PC Protection 3.6 cpk
BlackICE Server Protection 3.6 cpk
Additional Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-3840 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.
Acknowledgment
Chen Qing of NSFocus Security Team found the vulnerability.
DISCLAIMS
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
{"id": "SECURITYVULNS:DOC:13660", "bulletinFamily": "software", "title": "NSFOCUS SA2006-07 : ISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability", "description": "NSFOCUS Security Advisory (SA2006-07)\r\n\r\nISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability\r\n\r\nRelease Date: 2006-07-27\r\n\r\nCVE ID: CVE-2006-3840\r\n\r\nhttp://www.nsfocus.com/english/homepage/research/0607.htm\r\n\r\nAffected systems & software\r\n===================\r\n\r\nRealSecure Network Sensor 7.0\r\nProventia A Series\r\nProventia G Series\r\nProventia M Series\r\nRealSecure Server Sensor 7.0\r\nProventia Server\r\nRealSecure Desktop 7.0\r\nProventia Desktop\r\nBlackICE PC Protection 3.6\r\nBlackICE Server Protection 3.6\r\n\r\nUnaffected systems & software\r\n===================\r\n\r\n\r\nSummary\r\n=========\r\n\r\nNSFocus Security Team discovered a remote DoS vulnerability in ISS RealSecure/\r\nBlackICE products lines' detection of MailSlot Heap Overflow (MS06-035). By\r\nsending a specific SMB MailSlot packet it's possible to cause DoS in ISS\r\nprotection products.\r\n\r\nDescription\r\n============\r\n\r\nThere is a DoS vulnerability in ISS protection products' detection of SMB_MailSlot_Heap_Overflow\r\n(MS06-035/KB917159). By sending a specific SMB MailSlot packet it's possible\r\nto cause an infinite loop to occur in the detection code, and the ISS product \r\nor even the operating system will stop to respond. For example, for BlackICE \r\nthe vulnerability might cause the inerruption of the network traffic, \r\nand an approximately 100% CPU utilization. STOP BlackICE engine will not restore\r\nnormal operation. Instead OS restart is required. \r\n\r\nThis vulnerability can be triggered by a single packet. The establishment of \r\na real SMB session is not required. \r\n\r\nWorkaround\r\n=============\r\n\r\nBlock ports TCP/445 and TCP/139 at the firewall.\r\n \r\nVendor Status\r\n==============\r\n\r\n2006.07.24 Informed the vendor\r\n2006.07.25 Vendor confirmed the vulnerability\r\n2006.07.26 ISS has released a security alert and related patches.\r\n \r\nFor more details about the security alert, please refer to:\r\nhttp://xforce.iss.net/xforce/alerts/id/230\r\n\r\nISS has released the following XPUs to fix this vulnerability:\r\n\r\nRealSecure Network 7.0, XPU 24.40\r\nProventia A Series, XPU 24.40\r\nProventia G Series, XPU 24.40/1.79\r\nProventia M Series, XPU 1.79\r\nRealSecure Server Sensor 7.0, XPU 24.40\r\nProventia Server 1.0.914.1880\r\nRealSecure Desktop 7.0 epk\r\nProventia Desktop 8.0.812.1790/8.0.675.1790\r\nBlackICE PC Protection 3.6 cpk\r\nBlackICE Server Protection 3.6 cpk\r\n\r\nAdditional Information\r\n========================\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2006-3840 to this issue. This is a candidate for inclusion in the \r\nCVE list (http://cve.mitre.org), which standardizes names for security problems.\r\nCandidates may change significantly before they become official CVE entries.\r\n\r\nAcknowledgment\r\n===============\r\n\r\nChen Qing of NSFocus Security Team found the vulnerability.\r\n\r\nDISCLAIMS\r\n==========\r\nTHE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY\r\nOF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,\r\nEXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS\r\nBE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,\r\nINCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,\r\nEVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.\r\nDISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE\r\nADVISORY IS NOT MODIFIED IN ANY WAY.\r\n\r\nCopyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.\r\n\r\n\r\nNSFOCUS Security Team <security@nsfocus.com>\r\nNSFOCUS INFORMATION TECHNOLOGY CO.,LTD\r\n(http://www.nsfocus.com)\r\n\r\nPGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc\r\nKey fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA\r\n", "published": "2006-07-28T00:00:00", "modified": "2006-07-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13660", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2006-3840"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:18", "edition": 1, "viewCount": 3, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2018-08-31T11:10:18", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3840"]}, {"type": "osvdb", "idList": ["OSVDB:27550"]}], "modified": "2018-08-31T11:10:18", "rev": 2}, "vulnersScore": 6.7}, "affectedSoftware": [], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:27:23", "description": "The SMB Mailslot parsing functionality in PAM in multiple ISS products with XPU (24.39/1.78/epj/x.x.x.1780), including Proventia A, G, M, Server, and Desktop, BlackICE PC and Server Protection 3.6, and RealSecure 7.0, allows remote attackers to cause a denial of service (infinite loop) via a crafted SMB packet that is not properly handled by the SMB_Mailslot_Heap_Overflow decode.", "edition": 4, "cvss3": {}, "published": "2006-07-27T11:04:00", "title": "CVE-2006-3840", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3840"], "modified": "2018-10-17T21:31:00", "cpe": ["cpe:/h:iss:proventia_g_series_xpu:*", "cpe:/a:iss:blackice_server_protection:3.6cpk", "cpe:/h:iss:proventia_a_series_xpu:*", "cpe:/h:iss:proventia_m_series_xpu:*", "cpe:/a:iss:proventia_desktop:8.0.675.1790", "cpe:/a:iss:realsecure_network:7.0", "cpe:/h:iss:proventia_server:1.0.914.1880", "cpe:/a:iss:realsecure_server_sensor:7.0", "cpe:/a:iss:proventia_desktop:8.0.812.1790", "cpe:/a:iss:blackice_pc_protection:3.6cpk", "cpe:/a:iss:realsecure_desktop:7.0epk"], "id": "CVE-2006-3840", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3840", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:iss:realsecure_network:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:iss:blackice_pc_protection:3.6cpk:*:*:*:*:*:*:*", "cpe:2.3:a:iss:proventia_desktop:8.0.675.1790:*:*:*:*:*:*:*", "cpe:2.3:a:iss:realsecure_server_sensor:7.0:*:*:*:*:*:*:*", "cpe:2.3:h:iss:proventia_g_series_xpu:*:*:*:*:*:*:*:*", "cpe:2.3:h:iss:proventia_server:1.0.914.1880:*:*:*:*:*:*:*", "cpe:2.3:a:iss:realsecure_desktop:7.0epk:*:*:*:*:*:*:*", "cpe:2.3:a:iss:proventia_desktop:8.0.812.1790:*:*:*:*:*:*:*", "cpe:2.3:h:iss:proventia_m_series_xpu:*:*:*:*:*:*:*:*", "cpe:2.3:h:iss:proventia_a_series_xpu:*:*:*:*:*:*:*:*", "cpe:2.3:a:iss:blackice_server_protection:3.6cpk:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-3840"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3630\n[Vendor Specific Advisory URL](http://xforce.iss.net/xforce/alerts/id/230)\n[Secunia Advisory ID:21219](https://secuniaresearch.flexerasoftware.com/advisories/21219/)\nOther Advisory URL: http://www.nsfocus.com/english/homepage/research/0607.htm\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0477.html\nKeyword: NSFOCUS Security Advisory (SA2006-07)\n[CVE-2006-3840](https://vulners.com/cve/CVE-2006-3840)\n", "modified": "2006-07-26T11:34:12", "published": "2006-07-26T11:34:12", "href": "https://vulners.com/osvdb/OSVDB:27550", "id": "OSVDB:27550", "title": "RealSecure/BlackICE MailSlot Overflow Detection Crafted Packet Remote DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
