[NT] ISS RealSecure/BlackICE MailSlot Heap Overflow Detection DoS



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



ISS RealSecure/BlackICE MailSlot Heap Overflow Detection DoS
------------------------------------------------------------------------


SUMMARY

NSFocus Security Team discovered a remote DoS vulnerability in ISS
RealSecure/BlackICE products lines' detection of MailSlot Heap Overflow
(MS06-035). By sending a specific SMB MailSlot packet it's possible to
cause DoS in ISS protection products.

DETAILS

Vulnerable Systems:
* RealSecure Network Sensor 7.0
* Proventia A Series
* Proventia G Series
* Proventia M Series
* RealSecure Server Sensor 7.0
* Proventia Server
* RealSecure Desktop 7.0
* Proventia Desktop
* BlackICE PC Protection 3.6
* BlackICE Server Protection 3.6

Immune Systems:
* RealSecure Network 7.0, XPU 24.40
* Proventia A Series, XPU 24.40
* Proventia G Series, XPU 24.40/1.79
* Proventia M Series, XPU 1.79
* RealSecure Server Sensor 7.0, XPU 24.40
* Proventia Server 1.0.914.1880
* RealSecure Desktop 7.0 epk
* Proventia Desktop 8.0.812.1790/8.0.675.1790
* BlackICE PC Protection 3.6 cpk
* BlackICE Server Protection 3.6 cpk

There is a DoS vulnerability in ISS protection products' detection of
SMB_MailSlot_Heap_Overflow (MS06-035/KB917159). By sending a specific SMB
MailSlot packet it's possible to cause an infinite loop to occur in the
detection code, and the ISS product or even the operating system will stop
to respond. For example, for BlackICE the vulnerability might cause the
interruption of the network traffic, and an approximately 100% CPU
utilization. STOP BlackICE engine will not restore normal operation.
Instead OS restart is required.

This vulnerability can be triggered by a single packet. The establishment
of a real SMB session is not required.

Workaround:
Block ports TCP/445 and TCP/139 at the firewall.

Vendor Status:
2006.07.24 Informed the vendor
2006.07.25 Vendor confirmed the vulnerability
2006.07.26 ISS has released a security alert and related patches.

For more details about the security alert, please refer to:
<http://xforce.iss.net/xforce/alerts/id/230>
http://xforce.iss.net/xforce/alerts/id/230

ISS has released the following XPUs to fix this vulnerability:
* RealSecure Network 7.0, XPU 24.40
* Proventia A Series, XPU 24.40
* Proventia G Series, XPU 24.40/1.79
* Proventia M Series, XPU 1.79
* RealSecure Server Sensor 7.0, XPU 24.40
* Proventia Server 1.0.914.1880
* RealSecure Desktop 7.0 epk
* Proventia Desktop 8.0.812.1790/8.0.675.1790
* BlackICE PC Protection 3.6 cpk
* BlackICE Server Protection 3.6 cpk

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3840>
CVE-2006-3840


ADDITIONAL INFORMATION

The information has been provided by Chen Qing.
The original article can be found at:
<http://www.nsfocus.com/english/homepage/research/0607.htm>
http://www.nsfocus.com/english/homepage/research/0607.htm



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages