SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Enterprise Security Analyzer Vendors:   eIQnetworks, Inc.
eIQnetworks Enterprise Security Analyzer Buffer Overflows Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016580
SecurityTracker URL:  http://securitytracker.com/id/1016580
CVE Reference:   CVE-2006-3838   (Links to External Site)
Date:  Jul 26 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.5.0
Description:   Several vulnerabilities were reported in eIQnetworks Enterprise Security Analyzer. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service. Several components are affected.

The 'syslogserver.exe' process running on TCP port 10617 is vulnerable. UDP is not affected. The TCP configuration is not enabled by default. Long strings can trigger the overflow.

The 'monitoring.exe' process running on TCP port 9999 is affected.

The 'topology.exe' process running on TCP port 10628 is affected. Long prefixes to the GUIADDDEVICE, ADDDEVICE, or DELETEDEVICE commands can trigger the overflow.

The 'EnterpriseSecurityAnalyzer.exe' process running on TCP port 10616 is affected. Long arguments to the LICMGR_ADDLICENSE command can trigger the overflow.

The following OEM products are also affected:

Astaro Report Manager (OEM)
Fortinet FortiReporter (OEM)
iPolicy Security Reporter (OEM)
SanMina Viking Multi-Log Manager (OEM)
Secure Computing G2 Security Reporter (OEM)
Top Layer Network Security Analyzer (OEM)

The vendor was notified on May 10, 2006.

Titon, JxT, KF, and the rest of Bastard Labs and Cody Pierce of TippingPoint Security Research Team discovered these vulnerabilities.

The original advisories are available at:

http://www.zerodayinitiative.com/advisories/TSRT-06-03.html
http://www.zerodayinitiative.com/advisories/TSRT-06-04.html
http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
http://www.zerodayinitiative.com/advisories/ZDI-06-024.html

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (2.5.0).

The vendor's advisory is available at:

http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf

Vendor URL:  www.eiqnetworks.com/products/EnterpriseSecurityAnalyzer.shtml (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (2000), Windows (2003)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 31 2006 (FortiNet Issues Fix for FortiReporter) eIQnetworks Enterprise Security Analyzer Buffer Overflows Let Remote Users Execute Arbitrary Code
FortiNet has issued a fix for FortiReporter, which is affected by this vulnerability.



 Source Message Contents

Date:  Tue, 25 Jul 2006 16:26:58 -0700
Subject:  [Full-disclosure] TSRT-06-03: eIQnetworks Enterprise Security

TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server
            Buffer Overflow Vulnerabilities

http://www.zerodayinitiative.com/advisories/TSRT-06-03.html
July 25, 2006

-- CVE ID:
CVE-2006-3838

-- Affected Vendor:
eIQnetworks

-- Affected Products:
eIQnetworks Enterprise Security Analyzer
Astaro Report Manager (OEM)
Fortinet FortiReporter (OEM)
iPolicy Security Reporter (OEM)
SanMina Viking Multi-Log Manager (OEM)
Secure Computing G2 Security Reporter (OEM)
Top Layer Network Security Analyzer (OEM)

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since July 24, 2006 by Digital Vaccine protection
filter ID 4319. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of eIQnetworks Enterprise Security Analyzer.
Authentication is not required to exploit this vulnerability.

The flaw specifically exists within the Syslog daemon,
syslogserver.exe, during the processing of long arguments passed
through various commands on TCP port 10617. The following commands are
known to be affected:

    DELTAINTERVAL
    LOGFOLDER
    DELETELOGS
    FWASERVER
    SYSLOGPUBLICIP
    GETFWAIMPORTLOG
    GETFWADELTA
    DELETERDEPDEVICE
    COMPRESSRAWLOGFILE
    GETSYSLOGFIREWALLS
    ADDPOLICY
    EDITPOLICY

The majority of the above cases result in a stack overflow and are
trivial to exploit.

-- Vendor Response:
eIQnetworks has issued an update to correct this vulnerability. More
details can be found at:

    http://www.eiqnetworks.com/products/enterprisesecurity/
           EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf

-- Disclosure Timeline:
2006.05.10 - Vulnerability reported to vendor
2006.07.24 - Digital Vaccine released to TippingPoint customers
2006.07.25 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Cody Pierce, TippingPoint Security
Research Team.

-- About the TippingPoint Security Research Team (TSRT):
The TippingPoint Security Research Team (TSRT) consists of industry
recognized security researchers that apply their cutting-edge
engineering, reverse engineering and analysis talents in our daily
operations. More information about the team is available at:

    http://www.tippingpoint.com/security
 
The by-product of these efforts fuels the creation of vulnerability
filters that are automatically delivered to our customers' intrusion
prevention systems through the Digital Vaccine(R) service.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC