COMMAND
RealSecure
SYSTEMS AFFECTED
RealSecure 3.2.x
PROBLEM
The Modulo Security Labs Team found during a test program two
ways to stop the ISS RealSecure 3.2.x engine. The engine is the
responsible for the duty of checking and logging packets. The
exploit is very simple to be reproduced and protection measures
must be adopted.
Tested systems:
3.2.1 Solaris - Vulnerable
3.2.2 Solaris - Vulnerable
3.2.1 WinNT - Vulnerable
A failure in the treatment of fragmented packets with the SYN
flag setted causes the immediate failure in the RealSecure
engine, disabling the intrusion detection.
On the Solaris version of RealSecure the engine proccess
('network_engine') is disabled, causing a core dump memory file
creation. The event is immediately reported through the
RealSecure console.
On the NT version, the engine service file ('network_engine.exe')
has a little different bug. The service, after being crashed,
restarts immediately, generating just a Windows NT Application
Log event. The tests showed that a big and continuous stream of
the these packets (SYN Flood) can take the processor load up to
100%. During this attack, RealSecure could not identify any other
type of attack.
The tests showed that the Solaris version have an additional
vulnerability on the SYN packets treatment. With a SYN Flood
attack with specific IP flags setted it is possible to disable
the engine in the same way as described above. A 50 packets per
minute attack was enough to cause the flaw in a simulation. On
both versions (NT and Solaris) the console could not report the
fragmented attack. The NT version can identify the fragmented
SYN attack as a simple SYN Flood.
A detailed version of this advisory will be issued as soon ISS
fix the product.
SOLUTION
The tests with the Solaris version indicates that disabling the
SynFlood and IPFRAG attacks detection can avoid the
'network_engine' process failure.