Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Potential DoS Attack on RSA's ACE/Server

From: nexus () PATROL I-WAY CO UK (JJ Gray)
Date: Thu, 8 Jun 2000 14:19:19 +0100

Hi folks,
    RSA Security http://www.rsasecurity.com/ produce a 2 factor secure authentication solution called ACE/Server.   
This uses SecurID tokens to enforce authentication and runs on NT/2000 and Solaris.
It is possible for a nonprivileged user on the same network as the ACE/Server to trivially produce a DoS attack that 
kills the aceserver process thus denying all authentication requests.

Test Lab : ACE/Server version 3.1 and 4.1 on Solaris 2.6, Sparc Ultra5
( For one reason and another I don't have the time to test this on NT, if someone could attempt to replicate this 
attack, it would be appreciated ;-) )

Attack: A simple UDP portflooding at LAN speeds (250 packets/second) with randomly sized UDP packets at the port used 
for authentication requests, default is 5500,UDP.   Process dies in 15-20 seconds.

Result: The aceserver process dies and can no longer process any SecurID authentication requests, denying all access to 
any SecurID protected resources.   The aceserver process has to be stopped/started to restore functionality.

Vendor Status : Contacted, response :
"With regards to your DoS query we don't see this as a problem due to the fact that the ACE/Server should be in a 
'secure' area where people cannot send a large number of packets to it. The more likely problem is to do with a DoS 
attack on a client (which is not in a secure area). If it is ok with you I shall close the case."

Solution: It is mentioned in the ACE/Server documentation that it should be secured, however the only effective way to 
protect against this attack would be to put the ACE/Server on a DMZ or equivalent and restrict traffic to the 
ACE/Server ports from specific ACE/Clients only, however this is not mentioned in their security requirements.   I know 
of a number of ACE/Server installations that have no protection for their ACE/Server, nor are they hardened in any way.

RSA Security do not consider this attack to be a problem.   I disagree as the end result could be that a nonprivelidged 
user can deny all legitimate authentication requests to all SecurID protected resources.   I take the view that 
Administrators should be able to decide for themselves whether or not this is a threat, hence this post.
( This has been posted to BugTraq and NTBugtraq (as there is an NT version), feel free to distribute anywhere but 
please keep the post intact, cheers. )

Regards,
        JJ

JJ Gray, Security Analyst

Sed quis custodiet ipsos custodes ?

PGP Key available.
Previous By Date Next
Previous By Thread Next

Current thread: