COMMAND

    SilentRunner

SYSTEMS AFFECTED

    Raytheon SilentRunner 2.0, 2.0.1

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.  ISS X-Force in conjunction with ISS Emergency  Response
    Services has discovered  and researched remote  vulnerabilities in
    Raytheon  SilentRunner.    SilentRunner  is   a  passive   network
    monitoring,  discovery  and   analysis  tool.   The   SilentRunner
    collector module  is the  passive network  monitoring component of
    the  program.   The  collector  contains  multiple buffer overflow
    vulnerabilities that may be  exploited by an attacker  on networks
    monitored by SilentRunner.  Successful exploitation can result  in
    a  Denial  of  Service  (DoS)  attack  against  the  collector, or
    execution of arbitrary code on the SilentRunner server.

    It is unknown  at this time  if previous versions  of SilentRunner
    are affected by the vulnerabilities described in this advisory.

    SilentRunner is an advanced  network analysis system built  on top
    of a passive  network monitoring engine.   The collector  monitors
    and  records  network  traffic  for  use  within other portions of
    SilentRunner.  SilentRunner can view network activity through  its
    own collector, or import network data from various other sources.

    Multiple buffer  overflow vulnerabilities  exist in  the collector
    (cle.exe)  component  of  SilentRunner.   The  routines that parse
    passwords for many common protocols such as POP, HTTP, FTP,  etc.,
    do  not  perform  necessary   bounds  checking  on   user-supplied
    passwords.  It is possible  for any user on any  network monitored
    by a SilentRunner collector to craft long strings that will  crash
    the collector and  possibly execute arbitrary  code on any  system
    running the SilentRunner collector.

    An  additional  buffer  overflow   vulnerability  exists  in   the
    SilentRunner "Knowledge Browser", a traffic analysis component  of
    SilentRunner.   The Knowledge  Browser does  not perform  adequate
    bounds  checking  on  certain  long  HTTP  queries.  Any user on a
    SilentRunner monitored network may craft a long HTTP query,  which
    will be recorded by the SilentRunner collector.  If the long  HTTP
    query is processed  by the Knowledge  Browser, malicious code  may
    be  executed  on  the  SilentRunner  server.  Before the Knowledge
    Browser can process traffic  from the Silent Runner  collector, it
    must be manually started by a SilentRunner operator.

    The buffer overflow conditions  in the application layer  protocol
    parsing  rountines  described  in  the  ISS advisory also exist in
    version 1.6.1 of Silent Runner.

SOLUTION

    Raytheon  is  aware  of  the  vulnerabilities  described  in  this
    advisory. SilentRunner  version 2.0  is vulnerable  to all  issues
    described in this advisory.   SilentRunner version 2.0.1  contains
    fixes  for  the  long  password overflow vulnerabilities described
    above.   SilentRunner 2.0.1  remains vulnerable  to the  long HTTP
    issue.