PAM component buffer overflow when parsing SMB protocol

pam-smb-protocol-bo (15207) The risk level is classified as HighHigh Risk

Description:

Internet Security Systems Protocol Analysis Module (PAM) component is vulnerable to a heap-based buffer overflow, caused by a vulnerability in the parsing routines of the Server Message Block (SMB) protocol. Certain protocol fields are not checked for size. If a legitimate SMB connection to the server is established, a remote attacker might exploit this vulnerability under certain conditions to overwrite memory and execute arbitrary code on the system.

Products affected include RealSecure Network versions 7.0 XPU 20.15 through 22.9, RealSecure Server Sensor versions 7.0 XPU 20.16 through 22.9, Proventia A Series XPU 20.15 through 22.9, Proventia G Series XPU 22.3 through 22.9, Proventia M Series XPU 1.3 through 1.7, RealSecure Desktop versions 7.0 eba through ebh, RealSecure Desktop versions 3.6 ebr through ecb, RealSecure Guard versions 3.6 ebr through ecb, RealSecure Sentry 3.6 versions ebr through ecb, BlackICE PC Protection versions 3.6 cbr through ccb, and BlackICE Server Protection versions 3.6 cbr through ccb.

Platforms Affected:

  • IBM, ISS BlackICE PC Protection 3.6cbr cbr
  • IBM, ISS BlackICE PC Protection 3.6cbz cbz
  • IBM, ISS BlackICE PC Protection 3.6cca cca
  • IBM, ISS BlackICE PC Protection 3.6ccb ccb
  • IBM, ISS BlackICE Server Protection 3.6 cbr
  • IBM, ISS BlackICE Server Protection 3.6 cca
  • IBM, ISS BlackICE Server Protection 3.6 ccb
  • IBM, ISS BlackICE Server Protection 3.6 cbz
  • IBM, ISS RealSecure Desktop 3.6 ecb
  • IBM, ISS RealSecure Desktop 3.6 eca
  • IBM, ISS RealSecure Desktop 3.6 ebr
  • IBM, ISS RealSecure Desktop 3.6 ebz
  • IBM, ISS RealSecure Desktop 7.0 ebh
  • IBM, ISS RealSecure Desktop 7.0 ebg
  • IBM, ISS RealSecure Desktop 7.0 eba
  • IBM, ISS RealSecure Desktop 7.0 ebf
  • IBM, ISS RealSecure Network 7.0 XPU 22.9
  • IBM, ISS RealSecure Network 7.0 XPU 20.15
  • IBM, ISS RealSecure Network 7.0 XPU 20.16
  • IBM, ISS RealSecure Network 7.0 XPU 20.17
  • IBM, ISS RealSecure Network 7.0 XPU 20.18
  • IBM, ISS RealSecure Network 7.0 XPU 20.19
  • IBM, ISS RealSecure Network 7.0 XPU 21.1
  • IBM, ISS RealSecure Network 7.0 XPU 21.2
  • IBM, ISS RealSecure Network 7.0 XPU 21.3
  • IBM, ISS RealSecure Network 7.0 XPU 22.1
  • IBM, ISS RealSecure Network 7.0 XPU 22.2
  • IBM, ISS RealSecure Network 7.0 XPU 22.3
  • IBM, ISS RealSecure Network 7.0 XPU 22.5
  • IBM, ISS RealSecure Network 7.0 XPU 22.6
  • IBM, ISS RealSecure Network 7.0 XPU 22.7
  • IBM, ISS RealSecure Network 7.0 XPU 22.8
  • IBM, ISS RealSecure Network 7.0 XPU 22.4
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 21.1
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 21.3
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.1
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.2
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.3
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.5
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.6
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.7
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.8
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.9
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 22.4
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 20.16
  • IBM, ISS RealSecure Server Sensor 7.0 XPU 20.19
  • ISS, RealSecure Guard 3.6 ebz
  • ISS, RealSecure Guard 3.6 ecb
  • ISS, RealSecure Guard 3.6 eby
  • ISS, RealSecure Guard 3.6 ebx
  • ISS, RealSecure Guard 3.6 ebw
  • ISS, RealSecure Guard 3.6 ebv
  • ISS, RealSecure Guard 3.6 ebu
  • ISS, RealSecure Guard 3.6 ebt
  • ISS, RealSecure Guard 3.6 ebs
  • ISS, RealSecure Guard 3.6 eca
  • ISS, RealSecure Guard 3.6 ebr
  • ISS, RealSecure Sentry 3.6 eca
  • ISS, RealSecure Sentry 3.6 ebx
  • ISS, RealSecure Sentry 3.6 ebw
  • ISS, RealSecure Sentry 3.6 ebv
  • ISS, RealSecure Sentry 3.6 ebu
  • ISS, RealSecure Sentry 3.6 eby
  • ISS, RealSecure Sentry 3.6 ebs
  • ISS, RealSecure Sentry 3.6 ebr
  • ISS, RealSecure Sentry 3.6 ecb
  • ISS, RealSecure Sentry 3.6 ebz
  • ISS, RealSecure Sentry 3.6 ebt

Remedy:

Upgrade to the latest XPU, as listed below, available from the Internet Security Systems Web site. See References.

RealSecure Network 7.0, XPU 22.10
RealSecure Server Sensor 7.0, XPU 22.10
Proventia A Series, XPU 22.10
Proventia G Series, XPU 22.10
Proventia M Series, XPU 1.8
RealSecure Desktop 7.0 ebl
RealSecure Desktop 3.6 ecf
RealSecure Guard 3.6 ecf
RealSecure Sentry 3.6 ecf
BlackICE Agent for Server 3.6 ecf
BlackICE PC Protection 3.6 ccf
BlackICE Server Protection 3.6 ccf

Consequences:

Gain Access

References:

  • CIAC Information Bulletin O-085, Vulnerability in SMB Parsing in ISS Products at http://www.ciac.org/ciac/bulletins/o-085.shtml.
  • eEye Digital Security Web site, eEye Digital Security at http://www.eeye.com/html/Research/Upcoming/20040213.html.
  • Internet Security Systems Security Alert, February 26, 2004, Vulnerability in SMB Parsing in ISS Products at http://xforce.iss.net/xforce/alerts/id/165.
  • Internet Security Systems Web site, Download Center at http://www.iss.net/download/.
  • BID-9752: Internet Security Systems Protocol Analysis Module SMB Parsing Heap Overflow Vulnerability
  • CVE-2004-0193: Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username.
  • OSVDB ID: 4072: ISS Multiple Products SMB Packet Handling Overflow
  • SA10988: ISS Multiple Products SMB Packet Handling Buffer Overflow Vulnerability
  • US-CERT VU#150326: Internet Security Systems' BlackICE and RealSecure contain a heap overflow in the processing of SMB packets

Reported:

Feb 26, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page