[15805] in bugtraq
Re: RSA Aceserver UDP Flood Vulnerability
daemon@ATHENA.MIT.EDU (Vin McLellan)
Mon Jul 17 15:16:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Message-Id: <4.3.1.0.20000714172851.00ad73e0@shell1.shore.net>
Date: Fri, 14 Jul 2000 18:44:36 -0400
Reply-To: Vin McLellan <vin@SHORE.NET>
From: Vin McLellan <vin@SHORE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.3.96.1000712151219.21826Y-100000@komodo.reptiles. org>
Content-Transfer-Encoding: 8bit
Gwendolynn ferch Elydyr <gwen@REPTILES.ORG> wrote:
>Rather an interesting turnaround from their earlier insistance that there was
>no problem...
Ummmm. What RSA actually said -- after the "potential DoS" report
was initially published here -- was that RSA's engineers were having
difficulty reproducing the specific Denial of Service (DoS) attack that JJ
Gray <nexus@patrol.i-way.co.uk> reported he had used to crash an ACE
authentication server.
I was consulting to RSA on the incident, and tried to keep Mr.
Gray and the interested Lists informed as to the progress of the
investigation. (Unfortunately, a note I sent twice to Bugtraq about the
status of the inquiry was not published. Why, I dunno.)
RSA finally decided to test its ACE/Server against a whole range
of potential flood attacks which could be generated by a variety of free
and commercial UDP flood generators. Mr. Gray graciously cooperated in the
RSA inquiry and provided RSA technicians with the utility he had used to
generate the UDP flood that crashed his ACE/Server.
This led to the discovery that a UDP flood on an
ACE/Server (which includes packets which appear to be a continuation of an
existing UDP session, when no such session exists) can indeed have
catastrophic results -- rather than the gradual degradation, and the
automatic resurrection, of the authentication service which is the expected
behavior for an ACE/Server in the face of a UDP flood.
After extensive compatibility tests, RSA has finally made a hotfix
available, and will incorporate the fix in its routine ACE/Server
maintenance patches. (I append the full RSA message to it customers,
rather than the oddly truncated version Gwen passed along.)
Suerte,
_Vin
Vin McLellan
The Privacy Guild
-------------- RSA doc appended below -------------------
To: RSA Security Customers
From: RSA Security Product Management
Re: RSA ACE/Server UDP Flood Vulnerability
Date: 7/12/00
--------------------------------------
It has been brought to RSA Security's attention that a possible UDP
flood vulnerability exists in the RSA ACE/Server ®.
Summary of Vulnerability
This vulnerability was reported last month to the bugtraq and ntbugtraq
mailing lists. It indicated that users could send UDP packets to the
authentication port, UDP 5500, and bring the server process down.
RSA Security has confirmed the report, and offers a patch for RSA
ACE / Server v3.3, 4.0 and 4.1.
The RSA Security Support Lab tested the vulnerability by force-feeding
servers with 1000 packets per second, without reproducing a process
crash. In these tests, the server rode out the flood and recovered within
minutes, without needing to be stopped or rebooted.
RSA Security did detect a problem handling UDP packets which appeared to be
a continuation of a previous session, but where no such session existed.
RSA Security has repaired this function.
Minimizing the Possible Threat
Most resources with physical access to a network could be the target of a
packet flood, though the volume of packets required varies. To reduce the
vulnerability, RSA Security recommends:
1. Placing an intrusion detection or traffic monitor on the LAN.
Most RSA ACE/Servers are on internal networks, behind firewalls. This
limits access to the Server's UDP port to people on the local network,
insiders. UDP attacks such as this are less likely to happen via the
Internet. If the internal network has any form of traffic monitoring,
such an attack is likely to be caught.
2. Locating RSA ACE / Server in a protected environment, such as a DMZ, to
block access by unauthorized users.
Patch and Recommendations
Customers with current maintenance agreements can get the patch in the
following patch releases from RSA SecurCare Online.
? RSA ACE/Server v3.3 patch 16 Available now
? RSA ACE/Server 4.0 patch 2 Available Q3
? RSA ACE/Server 4.1 patch 1 Available Q3
Until full patches are available, and for non-maintenance customers, a
hotfix is available for each of these releases from our public FTP site,
at ftp://ftp.securid.com/support/outgoing/dos
Disclaimers
All information included in this response is based on available knowledge
at the time of this publication.
----- end ------
