COMMAND

    BackWeb Polite Agent Protocol

SYSTEMS AFFECTED

    BackWeb client using the Polite Agent Protocol

PROBLEM

    Followung is based  on ISS Security  Advisory.  They  discovered a
    vulnerability in the BackWeb  Polite Agent Protocol that  allows a
    user on a local network on which BackWeb clients operate to  spoof
    a BackWeb  server.   Hardware and  software vendors  often include
    BackWeb  software  in  their  distribution  to  facilitate  remote
    distribution of software updates.

    The BackWeb  Polite Agent  Protocol is  a UDP-based  protocol that
    BackWeb clients use to communicate with BackWeb servers. BackWeb's
    "anti-spoofing mechanism" for delivery  of UDP data to  the client
    and server is the exchange of a 32-bit integer, randomly generated
    by the client each  time it requests data  from the server.   This
    integer is appended to each packet of a specific piece of  BackWeb
    data  (InfoPak).   By  examining  these  packets  in transport, an
    attacker may send  false data to  a BackWeb client,  acting as the
    real BackWeb server.  BackWeb uses a sequencing method to maintain
    packet  data  integrity.  Any  attacker  who  can  examine a local
    network can determine the 32-bit integer and sequence numbers.   A
    race  condition  exists  where  the  attacker  may deliver a false
    response to the client 'match request,' which is the first  packet
    delivered by  the client  to determine  whether or  not the server
    should send  data to  it.   If this  spoofed response  reaches the
    client before the real  BackWeb server responds, the  attacker may
    continuously  write  realistic-looking  BackWeb  packets  to   the
    network in  response to  the client  request.   These packets  may
    direct the client to update files on its drive, execute  programs,
    or display messages on the  client screen.  While client  security
    settings  may  not  be  changed,  other  client  settings  such as
    displayed data may be changed.   Depending on the client  security
    settings, an attacker may send executable files to be executed  on
    the  client  machine.   By  default,  BackWeb's  security settings
    disable automatic execution of downloaded files.

SOLUTION

    Until  a  suitable  security  mechanism  is  made available by the
    vendor, ISS  recommends upgrading  to BackWeb  5.0, which supports
    VeriSign  digital  certificates  for  enhanced  security.  BackWeb
    strongly  recommends  that  customers  do  not  enable   automatic
    execution of downloaded files when using software prior to version
    5.0  unless  other  security  mechanisms  are implemented separate
    from the BackWeb system.   Customers using BackWeb client  version
    5.0 and above  can enable automatic  execution of files  that will
    only automatically execute a file after verifying that the file is
    digitally signed and that the signing certificate is approved.