From pgrundl@kpmg.dk Thu Jun 20 02:44:49 2002 From: "[iso-8859-1] Peter Gründl" To: vulnwatch Date: Wed, 19 Jun 2002 11:35:19 +0200 Subject: [VulnWatch] KPMG-2002023: BlackICE Agent Temporary Memory Buildup [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: BlackICE Agent Temporary Memory Buildup BUG-ID: 2002023 Released: 17th Jun 2002 -------------------------------------------------------------------- !NOTE! ====== The vendor has asked us to include their reply in this bulletin. To avoid too much duplicate information, we have decided to split the vendors response into the relevant sections of this advisory. All vendor quotes will be contained in quotes ("). Problem: ======== "The default settings for BlackICE Agent allow for an overly large number of TCP connections. A large number of open TCP connections coupled with a limited amount of memory can result in a limited Denial of Service (DoS) attack. Remote attackers on the same high-speed network segment may be able to launch an attack against a vulnerable BlackICE Agent. BlackICE Agents with an ample amount of memory outside a lab environment cannot be reliably attacked by exploiting this flaw." It is possible for a malicious user to consume up to 400Mb of memory on a host running BlackICE Agent. This attack can be performed over the Internet. Vulnerable: =========== - BlackICE Agent 3.1 eal on Windows 2000 laptop - BlackICE Agent 3.1 ebh on Windows 2000 laptop Details: ======== "The BlackICE line includes multiple products which share a common code-base and require different tuning parameters. All products contain a Network Intrusion Detection System (NIDS) component. The desktop/server BlackICE Agent uses NIDS to monitor inbound and outbound traffic from a single desktop or server computer. The BlackICE Sentry monitors a specific network or segment, which contains traffic belonging to other devices. Since BlackICE Sentry monitors all traffic on the network segment, it must support monitoring multiple devices with many connections apiece. A single desktop typically has fewer than 10 TCP connections while a single server may have several hundred TCP connections. BlackICE Sentry may be monitoring hundreds of thousands of TCP connections at any time, and each TCP connection that is tracked requires memory. The desktop Agent version of BlackICE should be tuned to a maximum of 5,000 connections. The server Agent should be tuned to limit 10,000 simultaneous connections. The Sentry version is tuned to handle 250,000 simultaneous TCP connections. This tuning eliminates the problem where the Agent is configured like Sentry, and continues to allocate memory until it reaches the limit of 250,000 simultaneous TCP connections." When sending specially crafted TCP packets to ports on the firewalled host, it starts allocating memory. Depending on the state of the port that is attacked, it is possible to consume between 200 and 400MB of memory with this attack. The firewalled host will recover on its own, which should take it 10-15 minutes. Vendor URL: =========== You can visit the vendor webpage here: http://www.iss.net Vendor Response: ================ This was reported to the vendor on the 15th of March, 2002. On the 29th of May, 2002 the vendor reproduced the issue. On the 17th of June, 2002 we received the vendors official response to the issue. Corrective action: ================== "ISS X-Force recommends that BlackICE Agent users reconfigure the maximum number of TCP connections to 5000 simultaneous connections. This setting can be adjusted by editing the local "blackice.ini" file, or by modifying this parameter via the ICEcap Management console: tcp.maxconnections=5000 ISS will update the next version of BlackICE Agent with the correct tuning parameters." Authors: Andreas Sandor (asandor@kpmg.dk) Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------