Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RSA Aceserver UDP Flood Vulnerability

From: nexus () PATROL I-WAY CO UK (JJ Gray)
Date: Fri, 14 Jul 2000 22:49:47 +0100

Hi folks,

[snip]

It has been brought to RSA Security's attention that a possible UDP
flood vulnerability exists in the RSA ACE/Server R.

[snip]

The original post I made (I don't expect egotistical kudos or anything but a
quick
"cheers to" would have been nice in the bulletin ;-)) did indeed indicate
that RSA did not see this
as an issue.   That was an error on the part of some section of the support
organisation within RSA,
and it should have been escalated - seems I inadvertantly discovered another
problem,
though procedural in nature - I find it somewhat annoying that a public post
was required for this potential
issue to be investigated.   Apart from the obvious ethical and professional
reasons for contacted the vendor,
I wanted to create full reproducibilty to ensure that it was not a factor of
my enviroment - I hate to cry "wolf!".
Especially when I was dismissed as a result of this.

[snip]

The RSA Security Support Lab tested the potential vulnerability by
force-feeding servers with 1000 packets per second, without
reproducing a process crash. In these tests, the server rode out the
flood and recovered within minutes, without needing to be stopped
or rebooted.

[snip]

This may also be related to the scenario where there is a resource
limitation or shortfall on the
ACE/Server itself, but I do not know for certain as no-one has contacted me
for any real technical
information as regards my (former) test lab, nor am I aware of the specs of
the RSA test boxes.

[snip]

1. Placing an intrusion detection or traffic monitor on the LAN.
Most RSA ACE/Servers are on internal networks, behind firewalls.

[snip]

Sound and sensible advice for any critical network component, discounting
for the moment the
percentage of attacks from authorised internal network users and the
'spoofability' of UDP packets,
especially since you don't care about a reply reaching you, the box must be
heavily locked down.
Partial and general hardening procedures are mentioned in the ACE/Server doc
umentation but
they are nowhere near what is really necessary for such a critical service.

Regards,
            JJ
Previous By Date Next
Previous By Thread Next

Current thread: