[SECURITY-L] Vulnerability in ICQ Parsing in ISS Products

CSIRT - UNICAMP security em unicamp.br
Seg Mar 22 13:19:04 -03 2004 

----- Forwarded message from Klaus Steding-Jessen <jessen em nic.br> -----

From: Klaus Steding-Jessen <jessen em nic.br>
Subject: [S] Vulnerability in ICQ Parsing in ISS Products
To: seguranca em pangeia.com.br
Date: Sun, 21 Mar 2004 12:41:13 -0300

[http://xforce.iss.net/xforce/alerts/id/166]

Alerts

Internet Security Systems Security Alert
March 18, 2004

Vulnerability in ICQ Parsing in ISS Products

Synopsis:

A vulnerability was discovered in the ICQ instant messaging protocol
parsing routines of the ISS Protocol Analysis Module (PAM) component.
The PAM module is a shared component of all current ISS host, server,
and network protection software and devices. The flaw relates to
incorrect parsing of the ICQ protocol which may lead to a buffer
overflow condition.

Affected Versions:

RealSecure® Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before


Impact:

The vulnerability is caused by insufficient size checks on certain
protocol fields in ICQ response data. After examining the nature of
this vulnerability, ISS X-Force believes that exploitation of this
issue is possible. It would not be necessary for ICQ response data to
be part of a legitimate ICQ session to trigger this issue.

Description:

The Protocol Analysis Module (PAM) facilitates the parsing of network
protocols in order to perform further analysis and attack detection.
ICQ is a popular instant messaging application developed by ICQ Inc.,
a subsidiary of America Online. In order to detect attacks targeting
instant messaging software, PAM parses several IM protocols including
ICQ.

There is incomplete boundary checking when parsing certain protocol
fields embedded within ICQ response data. As a result, it may be
possible for a remote attacker to cause memory corruption with the
potential for remote exploitation.

Recommendations:

ISS X-Force recommends that customers immediately update to the
latest releases provided by ISS. These updates contain a fix for
this issue.

ISS has already made the following updates available to remedy this
vulnerability:

RealSecure Network 7.0, XPU 22.12
RealSecure Server Sensor 7.0 XPU 22.12
Proventia A Series XPU 22.12
Proventia G Series XPU 22.12
Proventia M Series XPU 1.10
RealSecure Desktop 7.0 ebm
RealSecure Desktop 3.6 ecg
RealSecure Guard 3.6 ecg
RealSecure Sentry 3.6 ecg
BlackICE Agent for Server 3.6 ecg
RealSecure Server Sensor 6.5 for Windows SR 3.11

The following updates will soon be made available:

BlackICE PC Protection 3.6 ccg
BlackICE Server Protection 3.6 ccg

Updates are available from the ISS Download Center:
http://www.iss.net/download/


While deploying the updates, it may be advisable to block some ICQ
traffic in network environments where the ICQ protocol is not in
use. This can be achieved by blocking UDP packets with a source
port of 4000 at the network perimeter.

Additional Information:

http://www.eeye.com

Credit:

ISS X-Force would like to thank eEye Digital Security for notifying
ISS of the issue.

------

----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L