[NT] BlackICE Agent Temporary Memory Buildup

From: support@securiteam.com
Date: 06/20/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 20 Jun 2002 07:53:44 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  BlackICE Agent Temporary Memory Buildup
------------------------------------------------------------------------

SUMMARY

The default settings for BlackICE Agent allow for an overly large number
of TCP connections. A large number of open TCP connections coupled with a
limited amount of memory can result in a limited Denial of Service (DoS)
attack. Remote attackers on the same high-speed network segment may be
able to launch an attack against a vulnerable BlackICE Agent. BlackICE
Agents with an ample amount of memory outside a lab environment cannot be
reliably attacked by exploiting this flaw.

Therefore, it is possible for a malicious user to consume up to 400Mb of
memory on a host running BlackICE Agent. This attack can be performed over
the Internet.

DETAILS

Vulnerable systems:
 - BlackICE Agent 3.1 eal on Windows 2000 laptop
 - BlackICE Agent 3.1 ebh on Windows 2000 laptop

The BlackICE line includes multiple products which share a common
code-base and require different tuning parameters. All products contain a
Network Intrusion Detection System (NIDS) component. The desktop/server
BlackICE Agent uses NIDS to monitor inbound and outbound traffic from a
single desktop or server computer. The BlackICE Sentry monitors a specific
network or segment, which contains traffic belonging to other devices.

Since BlackICE Sentry monitors all traffic on the network segment, it must
support monitoring multiple devices with many connections apiece. A single
desktop typically has fewer than 10 TCP connections while a single server
may have several hundred TCP connections. BlackICE Sentry may be
monitoring hundreds of thousands of TCP connections at any time, and each
TCP connection that is tracked requires memory.

The desktop Agent version of BlackICE should be tuned to a maximum of
5,000 connections. The server Agent should be tuned to limit 10,000
simultaneous connections. The Sentry version is tuned to handle 250,000
simultaneous TCP connections.

This tuning eliminates the problem where the Agent is configured like
Sentry, and continues to allocate memory until it reaches the limit of
250,000 simultaneous TCP connections.

To conclude, by sending specially crafted TCP packets to ports on the
firewalled host, it is possible to cause BlackICE to start allocating
memory. Depending on the state of the port that is attacked, it is
possible to consume between 200 and 400MB of memory with this attack. The
firewalled host will recover on its own, which should take it 10-15
minutes.

Vendor Response:
This was reported to the vendor on the 15th of March, 2002. On the 29th of
May, 2002 the vendor reproduced the issue. On the 17th of June, 2002 we
received the vendor's official response to the issue.

Corrective action:
ISS X-Force recommends that BlackICE Agent users reconfigure the maximum
number of TCP connections to 5000 simultaneous connections. This setting
can be adjusted by editing the local "blackice.ini" file, or by modifying
this parameter via the ICEcap Management console:
  tcp.maxconnections=5000

ISS will update the next version of BlackICE Agent with the correct tuning
parameters.

ADDITIONAL INFORMATION

The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.