Bugtraq mailing list archives

RSA Aceserver UDP Flood Vulnerability

From: gwen () REPTILES ORG (Gwendolynn ferch Elydyr)
Date: Wed, 12 Jul 2000 15:13:18 -0400


Rather an interesting turnaround from their earlier insistance that there was
no problem...

Dear SecurCare Online Customer:

ACE/Server UDP Flood Vulnerability
A possible UDP flood vulnerability exists in the ACE/Server. This
vulnerability indicated that users could send UDP packets to the
authentication port UDP 5500, and bring the server process down.

To remedy this, RSA Security has developed a patch for ACE/Server v3.3 and
v3.3.1 and a hot-fix for v4.0 and v4.1.

Minimizing the Possible Threat
To further reduce the vulnerability, RSA recommends two things.

1.    Place an intrusion detection or traffic monitor on the LAN.

Most ACE/Servers are on internal networks behind firewalls. This limits
access to the Server's UDP port to people on the local network. UDP
attacks are not likely to happen via the Internet. If the internal network
has any form of traffic monitoring, such an attempted attack will likely
be caught.

2.    Install the ACE/Server in a protected environment, such as a DMZ, to
block unauthorized access.

Patch and Recommendations
As a SecurCare Online customer, your current maintenance agreements allows
you to get the fix for this problem at no additional charge. Please note
that the fix for this problem is both platform and ACE/Server version
specific. In other words, be sure you install the correct version of this
fix for your ACE/Server platform and version.

If you're using ACE/Server v3.3 or v3.3.1, RSA Support recommends that you
download and install patch 16 (3.3.16), which includes the fix for this
problem.  This patch is available at
http://knowledge.rsasecurity.com/frameset_patches2.asp. If you are unable
to install the 3.3.16 patch, RSA Support recommends that you install the
hot-fix for this problem, which can be obtained at
ftp://ftp.securid.com/support/outgoing/dos. The minimum recommended patch
level for this hot-fix is patch 15 (3.3.15).

If you're using ACE/Server v4.0 RSA Support recommends installing the
hot-fix available at ftp://ftp.securid.com/support/outgoing/dos. The
minimum recommended patch level for this hot-fix is patch 1 (4.0.1).

If you're using ACE/Server v4.1 we recommend applying the hot-fix at
ftp://ftp.securid.com/support/outgoing/dos.

Current thread:

Pollit CGI-script opens doors! The Warlock (Jul 11)
- Logdaemon ftpd and setproctitle() Wietse Venema (Jul 10)
- Re: Pollit CGI-script opens doors! jerry (Jul 11)
- REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER Eric Hines (Jul 11)
  - Re: REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER Andrew L . Davis (Jul 11)
  - Updated - Microsoft Security Bulletin (MS00-041) Microsoft Product Security (Jul 12)
  - Netscape SmartDownload reports file information to AOL John L. Morello (Jul 12)
  - RSA Aceserver UDP Flood Vulnerability Gwendolynn ferch Elydyr (Jul 12)
  - ftp.pl vulnerability zillion @ safemode (Jul 12)
  - ISC DHCP client v2 hole fixed...or not? Pavel Kankovsky (Jul 12)
  - cvsweb: remote shell for cvs committers Joey Hess (Jul 12)
  - FreeBSD Security Advisory: FreeBSD-SA-00:33.kerberosIV FreeBSD Security Advisories (Jul 12)
  - eEye Digital Security ports nmap to Windows NT Marc (Jul 13)
  - Lame DoS in WEBactive win65/NT server Prizm (Jul 13)
  - Security Bulletins Digest patrick () PINE NL (Jul 13)
  - More wIRCSrv stupidity Drew (Jul 13)
    - Re: More wIRCSrv stupidity Alex Charalabidis (Jul 13)
    - MDKSA-2000:019 cvsweb update Linux Mandrake Security Team (Jul 14)

(Thread continues...)