Bugtraq mailing list archives
Re: RSA Aceserver UDP Flood Vulnerability
From: fdarden () LOCKED COM (Frank Darden)
Date: Fri, 14 Jul 2000 13:32:18 -0400
I suppose its no coincedence that you edited the RSA test labs info from the top of the message. I am attaching the FULL text of the message that RSA sent out. To: RSA Security Customers From: RSA Security Product Management Re: Potential RSA ACE/Server UDP Flood Vulnerability Date: 7/13/00 -------------------------------------- Dear Jimmajamma, It has been brought to RSA Security's attention that a possible UDP flood vulnerability exists in the RSA ACE/Server R. Summary of Potential Vulnerability This vulnerability was reported last month to the bugtraq and ntbugtraq mailing lists. It indicated that users could send UDP packets to the authentication port, UDP 5500, and bring the server process down. RSA Security has confirmed the report, and offers a patch for RSA ACE/Server R v3.3, 4.0 and 4.1. The RSA Security Support Lab tested the potential vulnerability by force-feeding servers with 1000 packets per second, without reproducing a process crash. In these tests, the server rode out the flood and recovered within minutes, without needing to be stopped or rebooted. RSA Security did detect a problem handling UDP packets which appeared to be a continuation of a previous session, but where no such session existed. RSA Security has repaired this function. Minimizing the Possible Threat Most resources with physical access to a network could be the target of a packet flood, though the volume of packets required varies. To reduce the potential vulnerability, RSA Security recommends: 1. Placing an intrusion detection or traffic monitor on the LAN. Most RSA ACE/Servers are on internal networks, behind firewalls. This limits access to the Server's UDP port to people on the local network, insiders. UDP attacks such as this are less likely to happen via the Internet. If the internal network has any form of traffic monitoring, such an attack is likely to be caught. 2. Locating RSA ACE / Server R in a protected environment, such as a DMZ, to block access by unauthorized users. Patch and Recommendations Customers with current maintenance agreements can get the patch in the following patch releases from RSA SecurCare Online. -RSA ACE/Server R v3.3 patch 16 - Available now -RSA ACE/Server R 4.0 patch 2 - Available Q3 -RSA ACE/Server R 4.1 patch 1 - Available Q3 Until full patches are available, and for non-maintenance customers, a hotfix is available for each of these releases from our public FTP site, at ftp://ftp.securid.com/support/outgoing/dos Disclaimers All information included in this response is based on available knowledge at the time of this publication. -----Original Message----- From: Gwendolynn ferch Elydyr [mailto:gwen () REPTILES ORG] Sent: Wednesday, July 12, 2000 3:13 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: RSA Aceserver UDP Flood Vulnerability Rather an interesting turnaround from their earlier insistance that there was no problem...
Dear SecurCare Online Customer: ACE/Server UDP Flood Vulnerability A possible UDP flood vulnerability exists in the ACE/Server. This vulnerability indicated that users could send UDP packets to the authentication port UDP 5500, and bring the server process down. To remedy this, RSA Security has developed a patch for ACE/Server v3.3 and v3.3.1 and a hot-fix for v4.0 and v4.1. Minimizing the Possible Threat To further reduce the vulnerability, RSA recommends two things. 1. Place an intrusion detection or traffic monitor on the LAN. Most ACE/Servers are on internal networks behind firewalls. This limits access to the Server's UDP port to people on the local network. UDP attacks are not likely to happen via the Internet. If the internal network has any form of traffic monitoring, such an attempted attack will likely be caught. 2. Install the ACE/Server in a protected environment, such as a DMZ, to block unauthorized access. Patch and Recommendations As a SecurCare Online customer, your current maintenance agreements allows you to get the fix for this problem at no additional charge. Please note that the fix for this problem is both platform and ACE/Server version specific. In other words, be sure you install the correct version of this fix for your ACE/Server platform and version. If you're using ACE/Server v3.3 or v3.3.1, RSA Support recommends that you download and install patch 16 (3.3.16), which includes the fix for this problem. This patch is available at http://knowledge.rsasecurity.com/frameset_patches2.asp. If you are unable to install the 3.3.16 patch, RSA Support recommends that you install the hot-fix for this problem, which can be obtained at ftp://ftp.securid.com/support/outgoing/dos. The minimum recommended patch level for this hot-fix is patch 15 (3.3.15). If you're using ACE/Server v4.0 RSA Support recommends installing the hot-fix available at ftp://ftp.securid.com/support/outgoing/dos. The minimum recommended patch level for this hot-fix is patch 1 (4.0.1). If you're using ACE/Server v4.1 we recommend applying the hot-fix at ftp://ftp.securid.com/support/outgoing/dos.
Current thread:
- Re: RSA Aceserver UDP Flood Vulnerability Frank Darden (Jul 14)
- <Possible follow-ups>
- Re: RSA Aceserver UDP Flood Vulnerability JJ Gray (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 19)