Re: RSA Aceserver UDP Flood Vulnerability

[vin () SHORE NET (Vin McLellan)]

         Gwendolynn ferch Elydyr <gwen () REPTILES ORG> wrote:

> Rather an interesting turnaround from their earlier insistance that there was
> no problem...

         Ummmm. What RSA actually said -- after the "potential DoS" report 
was initially published here -- was that RSA's engineers were having 
difficulty reproducing the specific Denial of Service (DoS) attack that JJ 
Gray <nexus () patrol i-way co uk> reported he had used to crash an ACE 
authentication server.

         I was consulting to RSA on the incident, and tried to keep Mr. 
Gray and the interested Lists informed as to the progress of the 
investigation.  (Unfortunately, a note I sent twice to Bugtraq about the 
status of the inquiry was not published. Why, I dunno.)

         RSA finally decided to test its ACE/Server against a whole range 
of potential flood attacks which could be generated by a variety of free 
and commercial UDP flood generators.  Mr. Gray graciously cooperated in the 
RSA inquiry and provided RSA technicians with the utility he had used to 
generate the UDP flood that crashed his ACE/Server.

         This led to the discovery that a UDP flood on an 
ACE/Server  (which includes packets which appear to be a continuation of an 
existing UDP session, when no such session exists) can indeed have 
catastrophic results -- rather than the gradual degradation, and the 
automatic resurrection, of the authentication service which is the expected 
behavior for an ACE/Server in the face of a UDP flood.

         After extensive compatibility tests, RSA has finally made a hotfix 
available, and will incorporate the fix in its routine ACE/Server 
maintenance patches.  (I append the full RSA message to it customers, 
rather than the oddly truncated version Gwen passed along.)

         Suerte,

                 _Vin

Vin McLellan
The Privacy Guild

-------------- RSA doc appended below -------------------

To:     RSA Security Customers
From:   RSA Security Product Management
Re:     RSA ACE/Server UDP Flood Vulnerability
Date:   7/12/00
--------------------------------------

It has been brought to RSA Security's attention that a possible UDP
flood vulnerability  exists in the RSA ACE/Server ®.

Summary of Vulnerability

This vulnerability was reported last month to the bugtraq and ntbugtraq
mailing lists. It  indicated that users could send UDP packets to the
authentication port, UDP 5500, and  bring the server process down.

RSA Security has confirmed the report, and offers a patch for RSA
ACE / Server v3.3,  4.0 and 4.1.

The RSA Security Support Lab tested the vulnerability by force-feeding 
servers with  1000 packets per second, without reproducing a process
crash. In these tests, the  server rode out the flood and recovered within 
minutes, without needing to be stopped  or rebooted.

RSA Security did detect a problem handling UDP packets which appeared to be 
a  continuation of a previous session, but where no such session existed. 
RSA Security  has repaired this function.

Minimizing the Possible Threat

Most resources with physical access to a network could be the target of a 
packet flood,  though the volume of packets required varies. To reduce the 
vulnerability, RSA Security  recommends:

1.      Placing an intrusion detection or traffic monitor on the LAN.

Most RSA ACE/Servers are on internal networks, behind firewalls. This 
limits access to  the Server's UDP port to people on the local network, 
insiders. UDP attacks such as this  are less likely to happen via the 
Internet.  If the internal network has any form of traffic  monitoring, 
such an attack is likely to be caught.

2. Locating RSA ACE / Server in a protected environment, such as a DMZ, to 
block  access by unauthorized users.

Patch and Recommendations

Customers with current maintenance agreements can get the patch in the 
following  patch releases from RSA SecurCare Online.

?       RSA ACE/Server v3.3 patch 16 ­ Available now
?       RSA ACE/Server 4.0 patch 2 ­ Available Q3
?       RSA ACE/Server 4.1 patch 1 ­ Available Q3

Until full patches are available, and for non-maintenance customers, a 
hotfix is available for each of these releases from our public FTP site, 
at  ftp://ftp.securid.com/support/outgoing/dos

Disclaimers

All information included in this response is based on available knowledge 
at the time of  this publication.

----- end ------