Bugtraq mailing list archives
Re: RSA Aceserver UDP Flood Vulnerability
From: vin () SHORE NET (Vin McLellan)
Date: Fri, 14 Jul 2000 18:44:36 -0400
Gwendolynn ferch Elydyr <gwen () REPTILES ORG> wrote:
Rather an interesting turnaround from their earlier insistance that there was no problem...
Ummmm. What RSA actually said -- after the "potential DoS" report was initially published here -- was that RSA's engineers were having difficulty reproducing the specific Denial of Service (DoS) attack that JJ Gray <nexus () patrol i-way co uk> reported he had used to crash an ACE authentication server. I was consulting to RSA on the incident, and tried to keep Mr. Gray and the interested Lists informed as to the progress of the investigation. (Unfortunately, a note I sent twice to Bugtraq about the status of the inquiry was not published. Why, I dunno.) RSA finally decided to test its ACE/Server against a whole range of potential flood attacks which could be generated by a variety of free and commercial UDP flood generators. Mr. Gray graciously cooperated in the RSA inquiry and provided RSA technicians with the utility he had used to generate the UDP flood that crashed his ACE/Server. This led to the discovery that a UDP flood on an ACE/Server (which includes packets which appear to be a continuation of an existing UDP session, when no such session exists) can indeed have catastrophic results -- rather than the gradual degradation, and the automatic resurrection, of the authentication service which is the expected behavior for an ACE/Server in the face of a UDP flood. After extensive compatibility tests, RSA has finally made a hotfix available, and will incorporate the fix in its routine ACE/Server maintenance patches. (I append the full RSA message to it customers, rather than the oddly truncated version Gwen passed along.) Suerte, _Vin Vin McLellan The Privacy Guild -------------- RSA doc appended below ------------------- To: RSA Security Customers From: RSA Security Product Management Re: RSA ACE/Server UDP Flood Vulnerability Date: 7/12/00 -------------------------------------- It has been brought to RSA Security's attention that a possible UDP flood vulnerability exists in the RSA ACE/Server ®. Summary of Vulnerability This vulnerability was reported last month to the bugtraq and ntbugtraq mailing lists. It indicated that users could send UDP packets to the authentication port, UDP 5500, and bring the server process down. RSA Security has confirmed the report, and offers a patch for RSA ACE / Server v3.3, 4.0 and 4.1. The RSA Security Support Lab tested the vulnerability by force-feeding servers with 1000 packets per second, without reproducing a process crash. In these tests, the server rode out the flood and recovered within minutes, without needing to be stopped or rebooted. RSA Security did detect a problem handling UDP packets which appeared to be a continuation of a previous session, but where no such session existed. RSA Security has repaired this function. Minimizing the Possible Threat Most resources with physical access to a network could be the target of a packet flood, though the volume of packets required varies. To reduce the vulnerability, RSA Security recommends: 1. Placing an intrusion detection or traffic monitor on the LAN. Most RSA ACE/Servers are on internal networks, behind firewalls. This limits access to the Server's UDP port to people on the local network, insiders. UDP attacks such as this are less likely to happen via the Internet. If the internal network has any form of traffic monitoring, such an attack is likely to be caught. 2. Locating RSA ACE / Server in a protected environment, such as a DMZ, to block access by unauthorized users. Patch and Recommendations Customers with current maintenance agreements can get the patch in the following patch releases from RSA SecurCare Online. ? RSA ACE/Server v3.3 patch 16 Available now ? RSA ACE/Server 4.0 patch 2 Available Q3 ? RSA ACE/Server 4.1 patch 1 Available Q3 Until full patches are available, and for non-maintenance customers, a hotfix is available for each of these releases from our public FTP site, at ftp://ftp.securid.com/support/outgoing/dos Disclaimers All information included in this response is based on available knowledge at the time of this publication. ----- end ------
Current thread:
- Re: RSA Aceserver UDP Flood Vulnerability Frank Darden (Jul 14)
- <Possible follow-ups>
- Re: RSA Aceserver UDP Flood Vulnerability JJ Gray (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 19)