ICEcap console for BlackICE allows attackers to inject alerts with embedded VBA code

netice-icecap-alert-execute (4477) The risk level is classified as MediumMedium Risk

Description:

NetworkICE ICEcap console allows authenticated users to inject false alerts into the system. ICEcap console is an HTTP service that listens on TCP port 8081 to collect and monitor events received from various BlackICE IDS agents. ICEcap allows authenticated users to inject false alerts into the system with arbitrary information. ICEcap server by default uses an Access (Jet) database, allowing an attacker to insert VBA (Visual Basic for Applications) code in a false alerts to cause arbitrary commands to be executed on the ICEcap server. ICEcap uses HTTP Basic authentication to validate users and includes a default username with no password.


Consequences:

Gain Access

Remedy:

Upgrade to ICEcap 2.0.23a or later, available from the Network ICE Web site, as listed in Network ICE Knowledge Base Article Q000167. See References.

This upgrade adds functionality that performs improved validation of input before inserting events into the database. This version also fixes several other security issues in ICEcap.

References:

Platforms Affected:

  • Network ICE Corp Network ICE BlackICE ICEcap 2.0.23 and prior

Reported:

May 17, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page