PAM component buffer overflow when parsing SMB protocol

pam-smb-protocol-bo (15207) The risk level is classified as HighHigh Risk

Description:

Internet Security Systems Protocol Analysis Module (PAM) component is vulnerable to a heap-based buffer overflow, caused by a vulnerability in the parsing routines of the Server Message Block (SMB) protocol. Certain protocol fields are not checked for size. If a legitimate SMB connection to the server is established, a remote attacker might exploit this vulnerability under certain conditions to overwrite memory and execute arbitrary code on the system.

Products affected include RealSecure Network versions 7.0 XPU 20.15 through 22.9, RealSecure Server Sensor versions 7.0 XPU 20.16 through 22.9, Proventia A Series XPU 20.15 through 22.9, Proventia G Series XPU 22.3 through 22.9, Proventia M Series XPU 1.3 through 1.7, RealSecure Desktop versions 7.0 eba through ebh, RealSecure Desktop versions 3.6 ebr through ecb, RealSecure Guard versions 3.6 ebr through ecb, RealSecure Sentry 3.6 versions ebr through ecb, BlackICE PC Protection versions 3.6 cbr through ccb, and BlackICE Server Protection versions 3.6 cbr through ccb.


Consequences:

Gain Access

Remedy:

Upgrade to the latest XPU, as listed below, available from the Internet Security Systems Web site. See References.

RealSecure Network 7.0, XPU 22.10
RealSecure Server Sensor 7.0, XPU 22.10
Proventia A Series, XPU 22.10
Proventia G Series, XPU 22.10
Proventia M Series, XPU 1.8
RealSecure Desktop 7.0 ebl
RealSecure Desktop 3.6 ecf
RealSecure Guard 3.6 ecf
RealSecure Sentry 3.6 ecf
BlackICE Agent for Server 3.6 ecf
BlackICE PC Protection 3.6 ccf
BlackICE Server Protection 3.6 ccf

References:

  • CIAC Information Bulletin O-085: Vulnerability in SMB Parsing in ISS Products.
  • eEye Digital Security Web site: eEye Digital Security.
  • Internet Security Systems Security Alert, February 26, 2004: Vulnerability in SMB Parsing in ISS Products.
  • Internet Security Systems Web site: Download Center.
  • BID-9752: Internet Security Systems Protocol Analysis Module SMB Parsing Heap Overflow Vulnerability
  • CVE-2004-0193: Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username.
  • OSVDB ID: 4072: ISS Multiple Products SMB Packet Handling Overflow
  • OSVDB ID: 4702: RealSecure/BlackICE PAM Module SMB Packet Overflow
  • SA10988: ISS Multiple Products SMB Packet Handling Buffer Overflow Vulnerability
  • US-CERT VU#150326: Internet Security Systems' BlackICE and RealSecure contain a heap overflow in the processing of SMB packets

Platforms Affected:

  • IBM ISS BlackICE PC Protection 3.6cbr cbr
  • IBM ISS BlackICE PC Protection 3.6cbz cbz
  • IBM ISS BlackICE PC Protection 3.6cca cca
  • IBM ISS BlackICE PC Protection 3.6ccb ccb
  • IBM ISS BlackICE Server Protection 3.6 cca
  • IBM ISS BlackICE Server Protection 3.6 cbz
  • IBM ISS BlackICE Server Protection 3.6 cbr
  • IBM ISS BlackICE Server Protection 3.6 ccb
  • IBM ISS RealSecure Desktop 3.6 ecb
  • IBM ISS RealSecure Desktop 3.6 ebr
  • IBM ISS RealSecure Desktop 3.6 ebz
  • IBM ISS RealSecure Desktop 3.6 eca
  • IBM ISS RealSecure Desktop 7.0 ebf
  • IBM ISS RealSecure Desktop 7.0 ebg
  • IBM ISS RealSecure Desktop 7.0 eba
  • IBM ISS RealSecure Desktop 7.0 ebh
  • IBM ISS RealSecure Network 7.0 XPU 22.9
  • IBM ISS RealSecure Network 7.0 XPU 22.4
  • IBM ISS RealSecure Network 7.0 XPU 20.16
  • IBM ISS RealSecure Network 7.0 XPU 20.17
  • IBM ISS RealSecure Network 7.0 XPU 20.18
  • IBM ISS RealSecure Network 7.0 XPU 20.19
  • IBM ISS RealSecure Network 7.0 XPU 21.1
  • IBM ISS RealSecure Network 7.0 XPU 21.2
  • IBM ISS RealSecure Network 7.0 XPU 21.3
  • IBM ISS RealSecure Network 7.0 XPU 22.1
  • IBM ISS RealSecure Network 7.0 XPU 22.2
  • IBM ISS RealSecure Network 7.0 XPU 22.3
  • IBM ISS RealSecure Network 7.0 XPU 22.5
  • IBM ISS RealSecure Network 7.0 XPU 22.6
  • IBM ISS RealSecure Network 7.0 XPU 22.7
  • IBM ISS RealSecure Network 7.0 XPU 20.15
  • IBM ISS RealSecure Network 7.0 XPU 22.8
  • IBM ISS RealSecure Server Sensor 7.0 XPU 20.16
  • IBM ISS RealSecure Server Sensor 7.0 XPU 20.19
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.4
  • IBM ISS RealSecure Server Sensor 7.0 XPU 21.1
  • IBM ISS RealSecure Server Sensor 7.0 XPU 21.3
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.1
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.2
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.3
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.5
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.6
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.7
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.8
  • IBM ISS RealSecure Server Sensor 7.0 XPU 22.9
  • ISS RealSecure Guard 3.6 ebu
  • ISS RealSecure Guard 3.6 ebt
  • ISS RealSecure Guard 3.6 ebs
  • ISS RealSecure Guard 3.6 ecb
  • ISS RealSecure Guard 3.6 eca
  • ISS RealSecure Guard 3.6 ebv
  • ISS RealSecure Guard 3.6 ebz
  • ISS RealSecure Guard 3.6 eby
  • ISS RealSecure Guard 3.6 ebx
  • ISS RealSecure Guard 3.6 ebw
  • ISS RealSecure Guard 3.6 ebr
  • ISS RealSecure Sentry 3.6 ebx
  • ISS RealSecure Sentry 3.6 ebw
  • ISS RealSecure Sentry 3.6 ebv
  • ISS RealSecure Sentry 3.6 ebu
  • ISS RealSecure Sentry 3.6 ebt
  • ISS RealSecure Sentry 3.6 ebs
  • ISS RealSecure Sentry 3.6 ebr
  • ISS RealSecure Sentry 3.6 eca
  • ISS RealSecure Sentry 3.6 ecb
  • ISS RealSecure Sentry 3.6 eby
  • ISS RealSecure Sentry 3.6 ebz

Reported:

Feb 26, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page