{"vuid":"VU#150326","idnumber":"150326","name":"Internet Security Systems' BlackICE and RealSecure contain a heap overflow in the processing of SMB packets","keywords":["Internet Security Systems","BlackICE"],"overview":"Internet Security Systems' BlackICE and RealSecure intrusion detection products contain a remotely exploitable vulnerability. Exploitation of this vulnerability could lead to the compromise of the system with privileges of the vulnerable process, typically the \"SYSTEM\" user.","clean_desc":"Internet Security Systems (ISS) has two lines of intrusion detection and prevention products, BlackICE and RealSecure. A heap overflow vulnerability has been discovered in the code that processes Server Message Block (SMB) packets. Since all packets are processed by these products, this vulnerability can be exploited even when the utilities are set to their most restrictive settings. When these products receive an SMB packet, the packet is disassembled, processed and reassembled. The vulnerability occurs in the code that reassembles the SMB packet. eEye Digital Security has released an advisory and according to their advisory, this vulnerability can be remotely exploited via a single crafted SMB packet. According to eEye's advisory, the following products are affected: RealSecure Network 7.0, XPU 20.15 through 22.9\nReal Secure Server Sensor 7.0 XPU 20.16 through 22.9\nProventia A Series XPU 20.15 through 22.9\nProventia G Series XPU 22.3 through 22.9\nProventia M Series XPU 1.3 through 1.7\nRealSecure Desktop 7.0 eba through ebh\nRealSecure Desktop 3.6 ebr through ecb\nRealSecure Guard 3.6 ebr through ecb\nRealSecure Sentry 3.6 ebr through ecb\nBlackICE PC Protection 3.6 cbr through ccb\nBlackICE Server Protection 3.6 cbr through ccb ISS has also released an advisory about this issue, available at http://xforce.iss.net/xforce/alerts/id/165. Quoting from the ISS advisory: Externally facing networks that do not allow SMB connections are not vulnerable to attack. Furthermore, ISS has released the following updates to correct this problem RealSecure Network 7.0, XPU 22.10\nRealSecure Server Sensor 7.0, XPU 22.10\nProventia A Series, XPU 22.10\nProventia G Series, XPU 22.10\nProventia M Series, XPU 1.8\nRealSecure Desktop 7.0 ebj\nRealSecure Desktop 3.6 ecd\nRealSecure Guard 3.6 ecd\nRealSecure Sentry 3.6 ecd\nBlackICE PC Protection 3.6 ccd\nBlackICE Server Protection 3.6 ccd We encourage you to apply these updates as soon as practical.","impact":"Exploitation of this vulnerability could lead to the execution of arbitrary code on the system with privileges of the vulnerable process, typically the \"SYSTEM\" user on the windows platform.","resolution":"This vulnerability has been fixed in both the BlackICE and RealSecure releases. This vulnerability is resolved in BlackICE 3.6.ccd. BlackICE updates are available at http://blackice.iss.net/update_center/index.php. RealSecure updates are available at http://www.iss.net/download/.","workarounds":"Until a patch can be applied, blocking SMB traffic at your network perimeter may mitigate the risk this vulnerability presents. this may or may not be practical based on network configuration and requirements.","sysaffected":"","thanks":"Thanks to eEye Digital Security for reporting this vulnerability.","author":"This document was written by Jason A Rafail and Shawn Hernan based on information supplied by ISS and Eeye.","public":["http://www.eeye.com/html/Research/Advisories/AD20040226.html","http://www.eeye.com/html/Research/Upcoming/20040213.html","http://xforce.iss.net/xforce/alerts/id/165"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-02-16T16:16:04Z","publicdate":"2004-02-13T00:00:00Z","datefirstpublished":"2004-02-27T03:54:49Z","dateupdated":"2004-02-27T15:44:53Z","revision":25,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"12","cam_population":"6","cam_impact":"19","cam_easeofexploitation":"14","cam_attackeraccessrequired":"15","cam_scorecurrent":"12.119625","cam_scorecurrentwidelyknown":"14.364","cam_scorecurrentwidelyknownexploited":"23.3415","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.119625,"vulnote":null}