|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Potential DoS Attack on RSA's ACE/Server
From: JJ Gray (nexus
PATROL.I-WAY.CO.UK)Date: Thu Jun 08 2000 - 08:19:19 CDT
- Next message: Security Team: "DST2K0012: BufferOverrun in HP Openview Network Node Manager v6.1"
- Previous message: Security Team: "DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi folks,
RSA Security http://www.rsasecurity.com/ produce a 2 factor secure authentication solution called ACE/Server. This uses SecurID tokens to enforce authentication and runs on NT/2000 and Solaris.
It is possible for a nonprivileged user on the same network as the ACE/Server to trivially produce a DoS attack that kills the aceserver process thus denying all authentication requests.
Test Lab : ACE/Server version 3.1 and 4.1 on Solaris 2.6, Sparc Ultra5
( For one reason and another I don't have the time to test this on NT, if someone could attempt to replicate this attack, it would be appreciated ;-) )
Attack : A simple UDP portflooding at LAN speeds (250 packets/second) with randomly sized UDP packets at the port used for authentication requests, default is 5500,UDP. Process dies in 15-20 seconds.
Result : The aceserver process dies and can no longer process any SecurID authentication requests, denying all access to any SecurID protected resources. The aceserver process has to be stopped/started to restore functionality.
Vendor Status : Contacted, response :
"With regards to your DoS query we don't see this as a problem due to the fact that the ACE/Server should be in a 'secure' area where people cannot send a large number of packets to it. The more likely problem is to do with a DoS attack on a client (which is not in a secure area). If it is ok with you I shall close the case."
Solution : It is mentioned in the ACE/Server documentation that it should be secured, however the only effective way to protect against this attack would be to put the ACE/Server on a DMZ or equivalent and restrict traffic to the ACE/Server ports from specific ACE/Clients only, however this is not mentioned in their security requirements. I know of a number of ACE/Server installations that have no protection for their ACE/Server, nor are they hardened in any way.
RSA Security do not consider this attack to be a problem. I disagree as the end result could be that a nonprivelidged user can deny all legitimate authentication requests to all SecurID protected resources. I take the view that Administrators should be able to decide for themselves whether or not this is a threat, hence this post.
( This has been posted to BugTraq and NTBugtraq (as there is an NT version), feel free to distribute anywhere but please keep the post intact, cheers. )
Regards,
JJ
JJ Gray, Security Analyst
Sed quis custodiet ipsos custodes ?
PGP Key available.
- Next message: Security Team: "DST2K0012: BufferOverrun in HP Openview Network Node Manager v6.1"
- Previous message: Security Team: "DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]