[15786] in bugtraq
Re: RSA Aceserver UDP Flood Vulnerability
daemon@ATHENA.MIT.EDU (Frank Darden)
Fri Jul 14 14:52:59 2000
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <A0465D722E19D311BFBE0050049BB2700BBA88@mail.locked.com>
Date: Fri, 14 Jul 2000 13:32:18 -0400
Reply-To: Frank Darden <fdarden@LOCKED.COM>
From: Frank Darden <fdarden@LOCKED.COM>
X-To: Gwendolynn ferch Elydyr <gwen@REPTILES.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
I suppose its no coincedence that you edited the RSA test labs info from the
top of the message. I am attaching the FULL text of the message that RSA
sent out.
To: RSA Security Customers
From: RSA Security Product Management
Re: Potential RSA ACE/Server UDP Flood Vulnerability
Date: 7/13/00
--------------------------------------
Dear Jimmajamma,
It has been brought to RSA Security's attention that a possible UDP
flood vulnerability exists in the RSA ACE/Server R.
Summary of Potential Vulnerability
This vulnerability was reported last month to the bugtraq and
ntbugtraq mailing lists. It indicated that users could send UDP
packets to the authentication port, UDP 5500, and bring the server
process down.
RSA Security has confirmed the report, and offers a patch for RSA
ACE/Server R v3.3, 4.0 and 4.1.
The RSA Security Support Lab tested the potential vulnerability by
force-feeding servers with 1000 packets per second, without
reproducing a process crash. In these tests, the server rode out the
flood and recovered within minutes, without needing to be stopped
or rebooted.
RSA Security did detect a problem handling UDP packets which appeared
to be a continuation of a previous session, but where no such session
existed. RSA Security has repaired this function.
Minimizing the Possible Threat
Most resources with physical access to a network could be the target
of a packet flood, though the volume of packets required varies. To
reduce the potential vulnerability, RSA Security recommends:
1. Placing an intrusion detection or traffic monitor on the LAN.
Most RSA ACE/Servers are on internal networks, behind firewalls. This
limits access to the Server's UDP port to people on the local network,
insiders. UDP attacks such as this are less likely to happen via the
Internet. If the internal network has any form of traffic monitoring,
such an attack is likely to be caught.
2. Locating RSA ACE / Server R in a protected environment, such as a
DMZ, to block access by unauthorized users.
Patch and Recommendations
Customers with current maintenance agreements can get the patch in the
following patch releases from RSA SecurCare Online.
-RSA ACE/Server R v3.3 patch 16 - Available now
-RSA ACE/Server R 4.0 patch 2 - Available Q3
-RSA ACE/Server R 4.1 patch 1 - Available Q3
Until full patches are available, and for non-maintenance customers,
a hotfix is available for each of these releases from our public FTP
site, at ftp://ftp.securid.com/support/outgoing/dos
Disclaimers
All information included in this response is based on available
knowledge at the time of this publication.
-----Original Message-----
From: Gwendolynn ferch Elydyr [mailto:gwen@REPTILES.ORG]
Sent: Wednesday, July 12, 2000 3:13 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: RSA Aceserver UDP Flood Vulnerability
Rather an interesting turnaround from their earlier insistance that there
was
no problem...
> Dear SecurCare Online Customer:
>
> ACE/Server UDP Flood Vulnerability
> A possible UDP flood vulnerability exists in the ACE/Server. This
> vulnerability indicated that users could send UDP packets to the
> authentication port UDP 5500, and bring the server process down.
>
> To remedy this, RSA Security has developed a patch for ACE/Server v3.3 and
> v3.3.1 and a hot-fix for v4.0 and v4.1.
>
> Minimizing the Possible Threat
> To further reduce the vulnerability, RSA recommends two things.
>
> 1. Place an intrusion detection or traffic monitor on the LAN.
>
> Most ACE/Servers are on internal networks behind firewalls. This limits
> access to the Server's UDP port to people on the local network. UDP
> attacks are not likely to happen via the Internet. If the internal network
> has any form of traffic monitoring, such an attempted attack will likely
> be caught.
>
> 2. Install the ACE/Server in a protected environment, such as a DMZ, to
> block unauthorized access.
>
> Patch and Recommendations
> As a SecurCare Online customer, your current maintenance agreements allows
> you to get the fix for this problem at no additional charge. Please note
> that the fix for this problem is both platform and ACE/Server version
> specific. In other words, be sure you install the correct version of this
> fix for your ACE/Server platform and version.
>
> If you're using ACE/Server v3.3 or v3.3.1, RSA Support recommends that you
> download and install patch 16 (3.3.16), which includes the fix for this
> problem. This patch is available at
> http://knowledge.rsasecurity.com/frameset_patches2.asp. If you are unable
> to install the 3.3.16 patch, RSA Support recommends that you install the
> hot-fix for this problem, which can be obtained at
> ftp://ftp.securid.com/support/outgoing/dos. The minimum recommended patch
> level for this hot-fix is patch 15 (3.3.15).
>
> If you're using ACE/Server v4.0 RSA Support recommends installing the
> hot-fix available at ftp://ftp.securid.com/support/outgoing/dos. The
> minimum recommended patch level for this hot-fix is patch 1 (4.0.1).
>
> If you're using ACE/Server v4.1 we recommend applying the hot-fix at
> ftp://ftp.securid.com/support/outgoing/dos.
