Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Peter Gründl (pgrundlkpmg.dk)
Date: Wed Jun 19 2002 - 04:35:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Title: BlackICE Agent Temporary Memory Buildup

    BUG-ID: 2002023
    Released: 17th Jun 2002

    The vendor has asked us to include their reply in this bulletin. To
    avoid too much duplicate information, we have decided to split the
    vendors response into the relevant sections of this advisory. All
    vendor quotes will be contained in quotes (").

    "The default settings for BlackICE Agent allow for an overly large
     number of TCP connections. A large number of open TCP connections
     coupled with a limited amount of memory can result in a limited
     Denial of Service (DoS) attack. Remote attackers on the same
     high-speed network segment may be able to launch an attack against
     a vulnerable BlackICE Agent. BlackICE Agents with an ample amount
     of memory outside a lab environment cannot be reliably attacked by
     exploiting this flaw."

    It is possible for a malicious user to consume up to 400Mb of memory
    on a host running BlackICE Agent. This attack can be performed over
    the Internet.

    - BlackICE Agent 3.1 eal on Windows 2000 laptop
    - BlackICE Agent 3.1 ebh on Windows 2000 laptop

    "The BlackICE line includes multiple products which share a common
     code-base and require different tuning parameters. All products
     contain a Network Intrusion Detection System (NIDS) component. The
     desktop/server BlackICE Agent uses NIDS to monitor inbound and
     outbound traffic from a single desktop or server computer. The
     BlackICE Sentry monitors a specific network or segment, which
     contains traffic belonging to other devices.

     Since BlackICE Sentry monitors all traffic on the network segment,
     it must support monitoring multiple devices with many connections
     apiece. A single desktop typically has fewer than 10 TCP
     connections while a single server may have several hundred TCP
     connections. BlackICE Sentry may be monitoring hundreds of
     thousands of TCP connections at any time, and each TCP connection
     that is tracked requires memory.

     The desktop Agent version of BlackICE should be tuned to a maximum
     of 5,000 connections. The server Agent should be tuned to limit
     10,000 simultaneous connections. The Sentry version is tuned to
     handle 250,000 simultaneous TCP connections.

     This tuning eliminates the problem where the Agent is configured
     like Sentry, and continues to allocate memory until it reaches the
     limit of 250,000 simultaneous TCP connections."

    When sending specially crafted TCP packets to ports on the
    firewalled host, it starts allocating memory. Depending on the state
    of the port that is attacked, it is possible to consume between 200
    and 400MB of memory with this attack. The firewalled host will
    recover on its own, which should take it 10-15 minutes.

    Vendor URL:
    You can visit the vendor webpage here: http://www.iss.net

    Vendor Response:
    This was reported to the vendor on the 15th of March, 2002. On the
    29th of May, 2002 the vendor reproduced the issue. On the 17th of
    June, 2002 we received the vendors official response to the issue.

    Corrective action:
    "ISS X-Force recommends that BlackICE Agent users reconfigure the
     maximum number of TCP connections to 5000 simultaneous connections.
     This setting can be adjusted by editing the local "blackice.ini"
     file, or by modifying this parameter via the ICEcap Management


     ISS will update the next version of BlackICE Agent with the correct
     tuning parameters."

    Andreas Sandor (asandorkpmg.dk)
    Peter Gründl (pgrundlkpmg.dk)

    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.