ISS Response to Fate Research Labs RealSecure Advisory

[X-Force <xforce () ISS NET>]

-----BEGIN PGP SIGNED MESSAGE-----

Multiple Flaws in Fate Research Labs RealSecure Product Analysis
November 6, 2000

Internet Security Systems, Inc. Response to 
“RealSecure Advisory - Fate Research Labs (11-01-00)”

Synopsis:

Fate Research Labs released a recent product analysis posted to the BugTraq
mailing list describing three perceived issues in the RealSecure product.
ISS believes that all of these issues were reported in error.

Description:

The message incorrectly states that ISS RealSecure does not support
user-defined signatures.  ISS RealSecure has supported user-defined signatures
since version 3.1, released in June 1999.  ISS X-Force has released numerous
security advisories and alerts that contain user-defined signatures.

Their analysis incorrectly claims that ISS RealSecure does not detect the very
common IIS/RDS security vulnerability discovered by “Rain Forest Puppy”.
ISS X-Force released a security alert with a description of this vulnerability
and a user-defined signature for detection of this vulnerability on August 9,
1999.

On a related note, the message incorrectly claims that ISS RealSecure does not
contain detection support for the much-publicized IIS Unicode vulnerability
affecting IIS versions 4 and 5.  ISS X-Force released a security alert
describing this vulnerability on October 26, 2000.  This X-Force alert also
contains a user-defined signature to detect this vulnerability.

The last portion of the message states that it is possible to detect the
RealSecure engine by looking for a listening TCP port 2998.  The TCP port used
for RealSecure console communications is user definable to any TCP port. In
addition, ISS recommends that all RealSecure customers configure RealSecure
consoles in “stealth mode,” which prevents RealSecure detection.

Internet Security Systems has released new detection capabilities in X-Press
Updates for the ISS SAFEsuite family of products for over a year. 

Recommendations:

ISS X-Force recommends that all RealSecure customers configure the
user-defined signatures as described in the advisories below.

ISS X-Force was not contacted by Fate Research Labs to review their product
analysis prior to posting to BugTraq. Please report all ISS security-related
issues to xforce () iss net.

References:

User-defined signature for RDS hole, August 9, 1999:
http://xforce.iss.net/alerts/advise32.php

User-defined signature for Unicode hole, October 26, 2000:
http://xforce.iss.net/alerts/advise68.php

- ---------
Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQCVAwUBOgdBRDRfJiV99eG9AQEDfAP+IfzzIRVASCLlVh8VmGi0u7bF9CqJjuoQ
L6J3mb3cQuh72zhAqinS9EVjwkYzNla9QyCE4Hfq08Mn67nygTYy2RPViHxEuz/l
gBe37gOFcrBYQsXVLaeFoiNbf/6yvN0Og+hqhzkh52mSYmyw+epQsiztNIJAMA5X
Okw5tDgwprE=
=KmHo
-----END PGP SIGNATURE-----