BlackICE Defender ping flood denial of service
| blackice-ping-flood-dos (8058) |  Medium Risk |
Description:
BlackICE Defender is vulnerable to a denial of service attack. This vulnerability is caused by a flaw in the packet transmission routines in the BlackICE packet filtering module. A remote attacker could perform a modified ping flood attack to overwrite memory and crash the BlackICE engine. It may be possible for attackers to control which areas of memory are overwritten, leading to the execution of arbitrary code.
Attacks against RealSecure Server Sensor yield inconsistent results, making the attack less effective against this application.
Consequences:
Denial of Service
Remedy:
Internet Security Systems has developed and is testing fixes for this vulnerability. Some patches are available now (see patch status below).
BlackICE Defender:
Patch Release version 2.9.car is available from the BlackICE Product Download page. See References.
BlackICE Agent:
This patch will be available soon at the ISS Downloads Web site.
RealSecure Server Sensor 6.0.1:
Service Release 1.1 will be available at the ISS Downloads Web site.
RealSecure Server Sensor 6.5:
Service Release 3.1 will be available at the ISS Downloads Web site.
BlackICE Defender customers can install Defender updates by clicking on the "Tools" menu, and then the "Download Updates" button. Corporate users of BlackICE Agent can install updates centrally using the the ICEcap Management Console, or manually on individual systems.
ISS recommends that all ICEcap administrators apply the following workaround until a patch is made available. Apply the following rule within the ICEcap Manager to block ICMP Echo Requests on all managed agents:
- Select the Firewall Rule Set to be modified.
- Click on Add Setting to the right of Firewall Rules.
- Change Type to ICMP.
- Enter QUOT;8:0QUOT; in the Rule Specification window.
- Ensure that Reject is selected in the Setting window.
- Click on Save Settings.
This will add a rule to the policy on ICEcap to block all Echo Requests on Agents reporting to the group and using that policy.
References:
- BlackICE Product Download page: BlackIce Defender Downloads.
- BugTraq Mailing List, Mon Feb 04 2002 - 17:29:14 CST: Re: Vulnerability in Black ICE Defender.
- BugTraq Mailing List, Sun Feb 03 2002 - 22:26:50 CST: Vulnerability in Black ICE Defender.
- BugTraq Mailing List, Tue Feb 05 2002 - 01:50:45 CST: Re: Vulnerability in Black ICE Defender.
- BugTraq Mailing List, Tue Feb 05 2002 - 09:34:30 CST: RE: Vulnerability in Black ICE Defender.
- eEye Digital Security Alert AL20020208: ALERT: ISS BlackICE Kernel Overflow Exploitable.
- Internet Security Systems Downloads Web site: Download Center.
- Internet Security Systems Security Alert #109: Remote Denial of Service Vulnerability in BlackICE Products.
- BID-4025: Internet Security Systems BlackICE and RealSecure Buffer Overflow Vulnerability
- CVE-2002-0237: Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE Agent 3.0 and 3.1, and RealSecure Server Sensor 6.0.1 and 6.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a flood of large ICMP ping packets.
- OSVDB ID: 2039: BlackICE / RealSecure Large ICMP Ping Packet Overflow
Platforms Affected:
- IBM ISS RealSecure Server Sensor 6.0.1
- IBM ISS RealSecure Server Sensor 6.5
- ISS BlackICE Agent for Server 3.0
- ISS BlackICE Agent for Server 3.1
- ISS BlackICE Agent for Workstation 3.0
- ISS BlackICE Agent for Workstation 3.1
- ISS BlackICE Defender 2.9
Reported:
Feb 03, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this