[NT] Remote Denial of Service Vulnerability in BlackICE Products

From: support@securiteam.com
Date: 02/06/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  6 Feb 2002 14:06:45 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Remote Denial of Service Vulnerability in BlackICE Products
------------------------------------------------------------------------

SUMMARY

ISS X-Force has announced a denial of service vulnerability that may allow
remote attackers to crash or disrupt affected versions of BlackICE
Defender and BlackICE Agent desktop firewall/intrusion protection
products, and affected versions of RealSecure Server Sensor.

DETAILS

Affected Versions:
 * BlackICE Defender 2.9 on Microsoft Windows 2000 and XP
 * BlackICE Defender for Server 2.9 on Microsoft Windows 2000 and XP
 * BlackICE Agent for Workstation 3.0 and 3.1 on Microsoft Windows 2000
and XP
 * BlackICE Agent for Server 3.0 and 3.1 on Microsoft Windows 2000 and XP
* RealSecure Server Sensor 6.0.1 and 6.5 on Microsoft Windows 2000

BlackICE Sentry and BlackICE Guard are not affected by this vulnerability.

* Note: This attack yields inconsistent results against RealSecure Server
Sensor systems.

All current versions of BlackICE Defender, BlackICE Agent, and RealSecure
Server Sensor running on Windows 2000 or Windows XP can be remotely
crashed using a modified ping flood attack. The vulnerability is caused by
a flaw in the routines used for capturing transmitted packets. Memory can
be overwritten in such a manner that may cause the engine to crash or to
behave in an unpredictable manner.

The risk of this vulnerability to corporate users is minimal, because most
corporate firewalls already block ICMP from external IP addresses. Systems
located behind a corporate firewall are unlikely to be affected by
ICMP-based attacks.

Exploit:
Setting the packet size to about 10,000 bytes causes a Blue Screen of
Death (or immediate system reboot).

Recommendations:
Internet Security Systems has developed and is testing a fix for this
vulnerability that will be available as soon as possible. This alert will
be updated as soon as patches are available. BlackICE Defender customers
can install Defender updates by clicking on the "Tools" menu, and then the
"Download Updates" button. Corporate users of BlackICE Agent can install
updates centrally using the the ICEcap Management Console, or manually on
individual systems.

BlackICE Agent workaround:
Internet Security Systems recommends that ICEcap administrators apply the
following workaround for BlackICE Agent until a patch is made available.
Apply the following rule within the ICEcap Manager to block ICMP Echo
Requests on all managed agents:

1. Select the Firewall Rule Set to be modified.
2. Click "Add Setting" to the right of Firewall Rules.
3. Change Type to ICMP.
4. Enter "8:0" in the Rule Specification window.
5. Ensure that Reject is selected in the Setting window.
6. Click "Save Settings".

This will add a rule to the policy on ICEcap to block all Echo Requests on
Agents reporting to the group and using that policy.

BlackICE Defender workaround:
Internet Security Systems recommends that BlackICE Defender users apply
the following workaround until a patch is made available. Apply the
following rule to block ICMP Echo Requests.

1. Open the firewall.ini file.
2. Under the [MANUAL ICMP ACCEPT] section, add the following line: REJECT,
8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI
3. Save the firewall.ini file.
4. The next time you open BlackICE, click OK when the following a pop-up
window appears: "A configuration file change was detected."

RealSecure Server Sensor workaround:
Internet Security Systems RealSecure Server Sensor customers can configure
Server Sensor to block ICMP packets using the following steps. X-Force
recommends that administrators investigate the implications of blocking
ICMP in their environments before applying this rule.

1. Open the Server Sensor policy to which you want to add this rule.
2. Select the Protect tab, open the Protect folder, and then open the
Firecell folder.
3. Select the ICMP Inbound section.
4. Click Add to create a new rule.
5. Type a name for the Firecell rule, such as Block_ICMP, and then click
OK. The new rule is added to the policy in the ICMP Inbound section.
6. Select the rule that you just created. The properties of the rule
appear in the right pane.
7. Set the priority of the event in the Priority box.
8. Leave the IP address field blank.
9. In the Actions section, select Action (3) Not in the range of listed IP
addresses, drop the packet, and generate the selected responses.
10. In the Response section, select the responses you want the sensor to
take when this rule is triggered.
11. Save and apply the policy to the sensor.

ADDITIONAL INFORMATION

The information has been provided by <mailto:quisit@quest.net> Matt
Taylor and <mailto:xforce@iss.net> X-Force.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.