PAM component ICQ protocol parsing buffer overflow

pam-icq-parsing-bo (15442)

High Risk

Description:

Internet Security Systems Protocol Analysis Module (PAM) is vulnerable to a buffer overflow, caused by improper bounds checking when parsing certain protocol fields embedded within ICQ response data. A remote attacker could exploit this vulnerability to overflow the buffer and possibly execute arbitrary code on the system.

Consequences:

Gain Access

Remedy:

Upgrade to the latest XPU, as listed below, available from the Internet Security Systems Web site. See References.

RealSecure Network 7.0, XPU 22.12
RealSecure Server Sensor 7.0 XPU 22.12
Proventia A Series XPU 22.12
Proventia G Series XPU 22.12
Proventia M Series XPU 1.10
RealSecure Desktop 7.0 ebm
RealSecure Desktop 3.6 ecg
RealSecure Guard 3.6 ecg
RealSecure Sentry 3.6 ecg
BlackICE Agent for Server 3.6 ecg
RealSecure Server Sensor 6.5 for Windows SR 3.11
BlackICE PC Protection 3.6 ccg
BlackICE Server Protection 3.6 ccg

References:

• BugTraq Mailing List, 2004-03-18 23:57:46: EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability.
• CIAC Information Bulletin O-104: ICQ Parsing in ISS Products May Lead to Buffer Overflow.
• eEye Digital Defense Security Advisory AD20040318: Internet Security Systems PAM ICQ Server Response Processing Vulnerability.
• eEye Digital Defense Upcoming Advisory EEYEB-20040308: Internet Security Systems.
• Internet Security Systems Security Alert, March 18, 2004: Vulnerability in ICQ Parsing in ISS Products.
• Internet Security Systems Web site: Download Center.
• BID-9913: Internet Security Systems Protocol Analysis Module ICQ Parsing Buffer Overflow Vulnerability
• CVE-2004-0362: Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm.
• OSVDB ID: 4355: ISS PAM Component ICQ Protocol Parsing Overflow
• SA11073: ISS Multiple Products ICQ Server Response Processing Vulnerability
• US-CERT VU#947254: Internet Security Systems Protocol Analysis Module (PAM) does not properly handle ICQ server response messages

Platforms Affected:

• IBM ISS BlackICE PC Protection 3.6 ccf
• IBM ISS BlackICE PC Protection 3.6 ccd
• IBM ISS BlackICE PC Protection 3.6cbz cbz
• IBM ISS Proventia Network IDS XPU 22.6
• IBM ISS Proventia Network IDS XPU 22.9
• IBM ISS Proventia Network IDS XPU 22.8
• IBM ISS Proventia Network IDS XPU 22.7
• IBM ISS Proventia Network IDS XPU 22.5
• IBM ISS Proventia Network IDS XPU 22.4
• IBM ISS Proventia Network IDS XPU 22.3
• IBM ISS Proventia Network IDS XPU 22.2
• IBM ISS Proventia Network IDS XPU 22.10
• IBM ISS Proventia Network IDS XPU 22.1
• IBM ISS Proventia Network MFS XPU 1.4
• IBM ISS Proventia Network MFS XPU 1.7
• IBM ISS Proventia Network MFS XPU 1.3
• IBM ISS Proventia Network MFS XPU 1.2
• IBM ISS Proventia Network MFS XPU 1.8
• IBM ISS Proventia Network MFS XPU 1.9
• IBM ISS Proventia Network MFS XPU 1.6
• IBM ISS Proventia Network MFS XPU 1.5
• IBM ISS Proventia Network MFS XPU 1.1
• IBM ISS Proventia-G 1.1 and earlier XPU 22.6
• IBM ISS Proventia-G 1.1 and earlier XPU 22.11
• IBM ISS Proventia-G 1.1 and earlier XPU 22.10
• IBM ISS Proventia-G 1.1 and earlier XPU 22.1
• IBM ISS Proventia-G 1.1 and earlier XPU 22.9
• IBM ISS Proventia-G 1.1 and earlier XPU 22.8
• IBM ISS Proventia-G 1.1 and earlier XPU 22.7
• IBM ISS Proventia-G 1.1 and earlier XPU 22.5
• IBM ISS Proventia-G 1.1 and earlier XPU 22.4
• IBM ISS Proventia-G 1.1 and earlier XPU 22.3
• IBM ISS Proventia-G 1.1 and earlier XPU 22.2
• IBM ISS RealSecure Desktop 3.6 ebz
• IBM ISS RealSecure Desktop 7.0 ebf
• IBM ISS RealSecure Network 7.0 XPU 22.7
• IBM ISS RealSecure Network 7.0 XPU 22.8
• IBM ISS RealSecure Network 7.0 XPU 22.9
• IBM ISS RealSecure Network 7.0 XPU 22.6
• IBM ISS RealSecure Network 7.0 XPU 22.5
• IBM ISS RealSecure Network 7.0 XPU 22.3
• IBM ISS RealSecure Network 7.0 XPU 22.2
• IBM ISS RealSecure Network 7.0 XPU 22.1
• IBM ISS RealSecure Network 7.0 XPU 22.4
• IBM ISS RealSecure Network 7.0 XPU 22.10
• IBM ISS RealSecure Server Sensor 6.5 SR 3.2
• IBM ISS RealSecure Server Sensor 6.5 SR 3.10
• IBM ISS RealSecure Server Sensor 6.5 SR 3.7
• IBM ISS RealSecure Server Sensor 6.5 SR 3.3
• IBM ISS RealSecure Server Sensor 6.5 SR 3.6
• IBM ISS RealSecure Server Sensor 6.5 SR 3.5
• IBM ISS RealSecure Server Sensor 6.5 SR 3.4
• ISS BlackICE Agent for Server 3.6 ebz
• ISS RealSecure Guard 3.6 ebz
• ISS RealSecure Sentry 3.6 ebz

Reported:

Mar 18, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page