Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ISS-109: Remote Denial of Service Vulnerability in BlackICE Products

ISS-109: Remote Denial of Service Vulnerability in BlackICE Products

by Nikola Strahija on February 6th, 2002 ISS X-Force is aware of a denial of service vulnerability that may allow remote attackers to crash or disrupt affected versions of BlackICE Defender and BlackICE Agent desktop firewall/intrusion protection products, and affected versions of RealSecure Server Sensor.


All current versions of BlackICE Defender, BlackICE Agent, and
RealSecure Server Sensor running on Windows 2000 or Windows XP can be
remotely crashed using a modified ping flood attack. The vulnerability
is caused by a flaw in the routines used for capturing transmitted
packets. Memory can be overwritten in such a manner that may cause the
engine to crash or to behave in an unpredictable manner.

The risk of this vulnerability to corporate users is minimal, because
most corporate firewalls already block ICMP from external IP addresses.
Systems located behind a corporate firewall are unlikely to be affected
by ICMP-based attacks.

Affected Versions:

BlackICE Defender 2.9 on Microsoft Windows 2000 and XP
BlackICE Defender for Server 2.9 on Microsoft Windows 2000 and XP
BlackICE Agent for Workstation 3.0 and 3.1 on Microsoft Windows 2000 and
XP
BlackICE Agent for Server 3.0 and 3.1 on Microsoft Windows 2000 and XP
* RealSecure Server Sensor 6.0.1 and 6.5 on Microsoft Windows 2000

BlackICE Sentry and BlackICE Guard are not affected by this
vulnerability.

* Note: This attack yields inconsistent results against RealSecure
Server Sensor systems.

Recommendations:

Internet Security Systems has developed and is testing a fix for this
vulnerability that will be available as soon as possible. This alert
will be updated as soon as patches are available. BlackICE Defender
customers can install Defender updates by clicking on the "Tools" menu,
and then the "Download Updates" button. Corporate users of BlackICE
Agent can install updates centrally using the the ICEcap Management
Console, or manually on individual systems.

BlackICE Agent Workaround:
Internet Security Systems recommends that ICEcap administrators apply
the following workaround for BlackICE Agent until a patch is made
available. Apply the following rule within the ICEcap Manager to block
ICMP Echo Requests on all managed agents:

1. Select the Firewall Rule Set to be modified.
2. Click "Add Setting" to the right of Firewall Rules.
3. Change Type to ICMP.
4. Enter "8:0" in the Rule Specification window.
5. Ensure that Reject is selected in the Setting window.
6. Click "Save Settings".

This will add a rule to the policy on ICEcap to block all Echo Requests
on Agents reporting to the group and using that policy.

BlackICE Defender Workaround:
Internet Security Systems recommends that BlackICE Defender users apply
the following workaround until a patch is made available. Apply the
following rule to block ICMP Echo Requests.

1. Open the firewall.ini file.
2. Under the [MANUAL ICMP ACCEPT] section, add the following line:
REJECT, 8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI
3. Save the firewall.ini file.
4. The next time you open BlackICE, click OK when the following a pop-up
window appears: "A configuration file change was detected."

RealSecure Server Sensor Workaround:
Internet Security Systems RealSecure Server Sensor customers can
configure Server Sensor to block ICMP packets using the following steps.
X-Force recommends that administrators investigate the implications of
blocking ICMP in their environments before applying this rule.

1. Open the Server Sensor policy to which you want to add this rule.
2. Select the Protect tab, open the Protect folder, and then open the
Firecell folder.
3. Select the ICMP Inbound section.
4. Click Add to create a new rule.
5. Type a name for the firecell rule, such as Block_ICMP, and then
click OK.
The new rule is added to the policy in the ICMP Inbound section.
6. Select the rule that you just created.
The properties of the rule appear in the right pane.
7. Set the priority of the event in the Priority box.
8. Leave the IP address field blank.
9. In the Actions section, select Action (3) Not in the range of listed
IP addresses, drop the packet and generate the selected responses.
10. In the Response section, select the responses you want the sensor
to take when this rule is triggered.
11. Save and apply the policy to the sensor.


Additional Information:

ISS Download Center (for BlackICE Agent and RealSecure Server Sensor
updates),
http://www.iss.net/eval/eval.php

BlackICE Product Download page (for BlackICE Defender updates),
http://www.networkice.com/downloads/index.html

ISS X-Force Database,
http://xforce.iss.net/static/8058.php

This alert is available at:
http://xforce.iss.net/alerts/advise109.php
[Note: It may take up to 24 hours from the original posting of this
alert for it to appear on the Web site.]


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »