HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2004-04
ISS ICQ Parser Protocol Analysis Module contains a remotely-exploitable vulnerability

Original Issue Date: March 22, 2004

Severity: High

Systems Affected

  • RealSecure® Network 7.0, XPU 22.11 and earlier
  • RealSecure Server Sensor 7.0 XPU 22.11 and earlier
  • RealSecure Server Sensor 6.5 for Windows SR 3.10 and earlier
  • ProventiaT A Series XPU 22.11 and earlier
  • Proventia G Series XPU 22.11 and earlier
  • Proventia M Series XPU 1.9 and earlier
  • RealSecure Desktop 7.0 ebl and earlier
  • RealSecure Desktop 3.6 ecf and earlier
  • RealSecure Guard 3.6 ecf and earlier
  • RealSecure Sentry 3.6 ecf and earlier
  • BlackICET Agent for Server 3.6 ecf and earlier
  • BlackICE PC Protection 3.6 ccf and earlier
  • BlackICE Server Protection 3.6 ccf and earlier

Overview

A vulnerability has been discovered in the ICQ instant messaging protocol in the Protocol Analysis Module component used in current ISS host, server, and network protection software and devices. This remotely exploitable vulnerability exists in ISS BlackICE, RealSecure or Poventia products.

Description

A routine within the Protocol Analysis Module (PAM) that monitors ICQ server responses contains a series of stack based buffer overflow vulnerabilities. If the source port of an incoming UDP packet is 4000, it is assumed to be an ICQ v5 server response. This vulnerability can be exploited via a single UDP packet with a source port of 4000. It may be possible for a remote attacker to cause memory corruption with the potential for remote exploitation.

Workaround

Blocking packets with a source port of 4000/UDP at the firewall may mitigate this vulnerability from attacks originating outside of the network.

Solution

ISS has released updates which contain a fix for this issue.

Updates are available from the ISS Download Center :
http://www.iss.net/download/

Vendor Information

ISS
http://xforce.iss.net/xforce/alerts/id/166

References

eEye Digital Security
http://www.eeye.com/html/Research/Upcoming/20040308.html
http://www.eeye.com/html/Research/Advisories/AD20040318.html

US-CERT Vulnerability Note VU#947254
http://www.kb.cert.org/vuls/id/947254

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003