Bugtraq mailing list archives
Potential DoS Attack on RSA's ACE/Server
From: nexus () PATROL I-WAY CO UK (JJ Gray)
Date: Thu, 8 Jun 2000 14:19:19 +0100
Hi folks, RSA Security http://www.rsasecurity.com/ produce a 2 factor secure authentication solution called ACE/Server. This uses SecurID tokens to enforce authentication and runs on NT/2000 and Solaris. It is possible for a nonprivileged user on the same network as the ACE/Server to trivially produce a DoS attack that kills the aceserver process thus denying all authentication requests. Test Lab : ACE/Server version 3.1 and 4.1 on Solaris 2.6, Sparc Ultra5 ( For one reason and another I don't have the time to test this on NT, if someone could attempt to replicate this attack, it would be appreciated ;-) ) Attack: A simple UDP portflooding at LAN speeds (250 packets/second) with randomly sized UDP packets at the port used for authentication requests, default is 5500,UDP. Process dies in 15-20 seconds. Result: The aceserver process dies and can no longer process any SecurID authentication requests, denying all access to any SecurID protected resources. The aceserver process has to be stopped/started to restore functionality. Vendor Status : Contacted, response : "With regards to your DoS query we don't see this as a problem due to the fact that the ACE/Server should be in a 'secure' area where people cannot send a large number of packets to it. The more likely problem is to do with a DoS attack on a client (which is not in a secure area). If it is ok with you I shall close the case." Solution: It is mentioned in the ACE/Server documentation that it should be secured, however the only effective way to protect against this attack would be to put the ACE/Server on a DMZ or equivalent and restrict traffic to the ACE/Server ports from specific ACE/Clients only, however this is not mentioned in their security requirements. I know of a number of ACE/Server installations that have no protection for their ACE/Server, nor are they hardened in any way. RSA Security do not consider this attack to be a problem. I disagree as the end result could be that a nonprivelidged user can deny all legitimate authentication requests to all SecurID protected resources. I take the view that Administrators should be able to decide for themselves whether or not this is a threat, hence this post. ( This has been posted to BugTraq and NTBugtraq (as there is an NT version), feel free to distribute anywhere but please keep the post intact, cheers. ) Regards, JJ JJ Gray, Security Analyst Sed quis custodiet ipsos custodes ? PGP Key available.
Current thread:
- Potential DoS Attack on RSA's ACE/Server JJ Gray (Jun 08)