BlackICE Defender ping flood denial of service

blackice-ping-flood-dos (8058) The risk level is classified as MediumMedium Risk

Description:

BlackICE Defender is vulnerable to a denial of service attack. This vulnerability is caused by a flaw in the packet transmission routines in the BlackICE packet filtering module. A remote attacker could perform a modified ping flood attack to overwrite memory and crash the BlackICE engine. It may be possible for attackers to control which areas of memory are overwritten, leading to the execution of arbitrary code.

Attacks against RealSecure Server Sensor yield inconsistent results, making the attack less effective against this application.


Consequences:

Denial of Service

Remedy:

Internet Security Systems has developed and is testing fixes for this vulnerability. Some patches are available now (see patch status below).

BlackICE Defender:
Patch Release version 2.9.car is available from the BlackICE Product Download page. See References.

BlackICE Agent:
This patch will be available soon at the ISS Downloads Web site.

RealSecure Server Sensor 6.0.1:
Service Release 1.1 will be available at the ISS Downloads Web site.

RealSecure Server Sensor 6.5:
Service Release 3.1 will be available at the ISS Downloads Web site.

BlackICE Defender customers can install Defender updates by clicking on the "Tools" menu, and then the "Download Updates" button. Corporate users of BlackICE Agent can install updates centrally using the the ICEcap Management Console, or manually on individual systems.

ISS recommends that all ICEcap administrators apply the following workaround until a patch is made available. Apply the following rule within the ICEcap Manager to block ICMP Echo Requests on all managed agents:

  1. Select the Firewall Rule Set to be modified.
  2. Click on Add Setting to the right of Firewall Rules.
  3. Change Type to ICMP.
  4. Enter QUOT;8:0QUOT; in the Rule Specification window.
  5. Ensure that Reject is selected in the Setting window.
  6. Click on Save Settings.

This will add a rule to the policy on ICEcap to block all Echo Requests on Agents reporting to the group and using that policy.

References:

Platforms Affected:

  • IBM ISS RealSecure Server Sensor 6.0.1
  • IBM ISS RealSecure Server Sensor 6.5
  • ISS BlackICE Agent for Server 3.0
  • ISS BlackICE Agent for Server 3.1
  • ISS BlackICE Agent for Workstation 3.0
  • ISS BlackICE Agent for Workstation 3.1
  • ISS BlackICE Defender 2.9

Reported:

Feb 03, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page