Internet Security Systems (ISS) RealSecure Is Vulnerable to a Certain Denial of Service Attack
SecurityTracker Alert ID: 1001098|
SecurityTracker URL: http://securitytracker.com/id/1001098
(Links to External Site)
Date: Mar 15 2001
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): v5.0 for Windows NT and Windows 2000; Solaris is not affected|
Internet Security Systems (ISS) issued a security alert for a vulnerability in their RealSecure network intrusion detection product that can result in denial of service by effectively disconnecting the Network Sensor from the Network Console.|
ISS reports of an attack tool called "Stick" that can be used to launch a stress test against many popular intrusion detection systems inorder to reduce performance and cause denial of service.
ISS confirms that the Windows NT and Windows 2000 versions of RealSecure Network Sensor 5.0 are vulnerable to "Stick" based attacks. During an attack on a RealSecure product, the event channel becomes congested, requiring the Network Sensor to be manually reconnected to restore normal operation. However, neither the Network Sensor nor the Network Console will crash.
RealSecure for the Solaris platform is not vulnerable.
A remote user can disrupt normal intrusion detection operations by effectively disconnecting the Network Sensor from the Network Console. The Network Sensor must be manually reconnected to the Network Console to restore normal operation.|
The vendor has developed two fixes. The first was part of Service Release 1.1 for RealSecure Network Sensor. The second will be included in X-Press Update MU 2.2, available on March 15, 2001.|
Vendor URL: www.iss.net (Links to External Site)
Exception handling error, State error|
Source Message Contents
Subject: ISSalert: ISS Security Alert: "Stick"- A Potential Denial of Service Against IDS Systems|
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
firstname.lastname@example.org Contact email@example.com for help with any problems!
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Alert
March 14, 2001
"Stick"- A Potential Denial of Service Against IDS Systems
ISS X-Force has been researching a new attack tool that can be used to
launch a stress test against many popular intrusion detection systems (IDS).
The new tool, dubbed "Stick" by its creators, has been reported to reduce
performance, and/or deny service to many commercial IDS products. Stick has
been reported to direct thousands of overt attacks at IDS systems. The
additional processing required by IDS systems to handle the new load causes
a Denial of Service (DoS) to manifest.
Stick does not employ any new methods, nor does it expose any new flaws in
signature-based IDS. Stick uses the very straightforward technique of firing
numerous attacks at random from random source IP addresses to purposely
trigger IDS events. The IDS system will attempt to keep up with the new
flood of events, but if incoming events cross the IDS detection threshold, a
DoS might result. The effectiveness of the Stick attack is a function of the
attacker's available bandwidth. Stick is essentially a flooding tool, so if
a large bandwidth link is available to the attacker, he or she may be more
successful. At the time of publication of this Alert, the Stick tool has not
been made public. Refer to the following URL for more information about the
ISS X-Force verified the existence of the vulnerability in the Windows NT
and Windows 2000 versions of RealSecure Network Sensor 5.0. On both Windows
platforms, the event channel becomes congested during the duration of the
attack. The Network Sensor must be manually reconnected to restore normal
operation. At no point does the Network Sensor or Network Console crash.
RealSecure running on the Solaris platform does not exhibit any event
channel problems during the attack or after the attack is suspended. No
reconnection is required.
ISS X-Force has developed two fixes for RealSecure Network Sensor that will
limit the risk of a Stick attack. The first fix was part of Service Release
1.1 for RealSecure Network Sensor. The second fix will be included in
X-Press Update MU 2.2, available on March 15, 2001. X-Press Update MU 2.2
will also include 28 new signatures and can be accessed through the Internet
Security Systems Web site at: <http://www.iss.net/eval/eval.php>.
About Internet Security Systems (ISS)
Internet Security Systems is the leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed security
services, and strategic consulting and education offerings, ISS is a trusted
security provider to more than 8,000 customers worldwide including 21 of the
25 largest U.S. commercial banks and the top 10 U.S. telecommunications
companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with
additional offices throughout North America and international operations in
Asia, Australia, Europe, Latin America and the Middle East. For more
information, visit the Internet Security Systems web site at www.iss.net or
Copyright (c) 2001 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail firstname.lastname@example.org
<mailto:email@example.com> for permission.
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php> as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force firstname.lastname@example.org
<mailto:email@example.com> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Go to the Top of This SecurityTracker Archive Page