COMMAND

    ACE/Server

SYSTEMS AFFECTED

    RSA's ACE/Server

PROBLEM

    JJ Gray found following.   RSA Security produce a 2  factor secure
    authentication  solution  called  ACE/Server.   This  uses SecurID
    tokens to enforce authentication and runs on NT/2000 and  Solaris.
    It is possible for a nonprivileged user on the same network as the
    ACE/Server  to  trivially  produce  a  DoS  attack  that kills the
    aceserver process thus denying all authentication requests.

    Test Lab:  ACE/Server version  3.1 and  4.1 on  Solaris 2.6, Sparc
    Ultra5.

    Attack:   A   simple   UDP   portflooding   at   LAN  speeds  (250
    packets/second) with randomly sized  UDP packets at the  port used
    for authentication requests, default  is 5500,UDP.    Process dies
    in 15-20 seconds.

    Result: The aceserver process dies  and can no longer process  any
    SecurID authentication requests, denying all access to any SecurID
    protected  resources.      The   aceserver  process   has  to   be
    stopped/started to restore functionality.

SOLUTION

    RSA Security has confirmed the report, and offers a patch for  RSA
    ACE/Server R  v3.3, 4.0  and 4.1.   The RSA  Security Support  Lab
    tested the potential  vulnerability by force-feeding  servers with
    1000 packets per second,  without reproducing a process  crash. In
    these tests, the  server rode out  the flood and  recovered within
    minutes, without needing to be stopped or rebooted.  RSA  Security
    did detect a problem handling  UDP packets which appeared to  be a
    continuation  of  a  previous  session,  but where no such session
    existed.  RSA Security has repaired this function.

    Most resources  with physical  access to  a network  could be  the
    target of a  packet flood, though  the volume of  packets required
    varies.   To  reduce  the  potential  vulnerability,  RSA Security
    recommends:

    1. Placing an intrusion detection or traffic monitor on the LAN.
       Most  RSA   ACE/Servers  are   on  internal   networks,  behind
       firewalls.   This limits  access to  the Server's  UDP port  to
       people on  the local  network, insiders.   UDP attacks  such as
       this  are  less  likely  to  happen  via  the Internet.  If the
       internal network has  any form of  traffic monitoring, such  an
       attack is likely to be caught.

    2. Locating RSA  ACE / Server  R in a  protected environment, such
       as a DMZ, to block access by unauthorized users.

    Customers with  current maintenance  agreements can  get the patch
    in the following patch releases from RSA SecurCare Online.

        -RSA ACE/Server R v3.3 patch 16 - Available now
        -RSA ACE/Server R 4.0 patch 2 - Available Q3
        -RSA ACE/Server R 4.1 patch 1 - Available Q3

    Until  full  patches  are   available,  and  for   non-maintenance
    customers, a hotfix is available  for each of these releases  from
    our public FTP site, at

        ftp://ftp.securid.com/support/outgoing/dos