CVE-2006-3840
CVSS5.0
发布时间 :2006-07-27 07:04:00
修订时间 :2011-06-13 00:00:00
NMCOPS    

[原文]The SMB Mailslot parsing functionality in PAM in multiple ISS products with XPU (24.39/1.78/epj/x.x.x.1780), including Proventia A, G, M, Server, and Desktop, BlackICE PC and Server Protection 3.6, and RealSecure 7.0, allows remote attackers to cause a denial of service (infinite loop) via a crafted SMB packet that is not properly handled by the SMB_Mailslot_Heap_Overflow decode.


[CNNVD]ISS RealSecure/BlackICE MailSlot堆溢出检查远程拒绝服务漏洞(CNNVD-200607-462)

         ISS是国际知名的安全厂商,提供多种防火墙和入侵检测设备。
         ISS的保护产品在对SMB_MailSlot_Heap_Overflow(MS06-035/KB917159)漏洞的检测中存在一个拒绝服务漏洞。通过构造特定攻击报文,可以导致检测代码陷入死循环。这可能导致某些ISS保护产品甚至操作系统停止响应。例如,对于BlackICE,会使得BlackICE所在主机网络中断,同时CPU占用率接近百分之百。停止BlackICE引擎并不能恢复正常,需要重启操作系统。
         攻击者只需要发送单包就可以触发此漏洞,无需真正建立SMB会话。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/a:iss:proventia_desktop:8.0.812.1790Internet Security Systems Proventia Desktop 8.0.812.1790
cpe:/a:iss:realsecure_network:7.0Internet Security Systems RealSecure Network 7.0
cpe:/a:iss:blackice_server_protection:3.6cpkInternet Security Systems BlackICE Server Protection 3.6cpk
cpe:/a:iss:realsecure_server_sensor:7.0Internet Security Systems RealSecure Server Sensor 7.0
cpe:/a:iss:proventia_desktop:8.0.675.1790Internet Security Systems Proventia Desktop 8.0.675.1790
cpe:/h:iss:proventia_m_series_xpuInternet Security Systems Proventia M Series XPU
cpe:/h:iss:proventia_server:1.0.914.1880Internet Security Systems Proventia Server 1.0.914.1880
cpe:/h:iss:proventia_g_series_xpuInternet Security Systems Proventia G Series XPU
cpe:/a:iss:realsecure_desktop:7.0epkInternet Security Systems RealSecure Desktop 7.0epk
cpe:/a:iss:blackice_pc_protection:3.6cpkInternet Security Systems BlackICE PC Protection 3.6cpk
cpe:/h:iss:proventia_a_series_xpuInternet Security Systems Proventia A Series XPU

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3840
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3840
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-462
(官方数据源) CNNVD

- 其它链接及资源

https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3630
(UNKNOWN)  CONFIRM  https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3630
http://xforce.iss.net/xforce/xfdb/27965
(UNKNOWN)  XF  pam-smb-mailslot-dos(27965)
http://xforce.iss.net/xforce/alerts/id/230
(VENDOR_ADVISORY)  ISS  20060726 Protocol Parsing Bug in SMB Mailslot Parsing in ISS Products
http://www.vupen.com/english/advisories/2006/2996
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2996
http://www.securityfocus.com/bid/19178
(UNKNOWN)  BID  19178
http://www.securityfocus.com/archive/1/archive/1/441278/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060727 NSFOCUS SA2006-07 : ISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability
http://www.nsfocus.com/english/homepage/research/0607.htm
(UNKNOWN)  MISC  http://www.nsfocus.com/english/homepage/research/0607.htm
http://securitytracker.com/id?1016592
(UNKNOWN)  SECTRACK  1016592
http://securitytracker.com/id?1016591
(UNKNOWN)  SECTRACK  1016591
http://securitytracker.com/id?1016590
(UNKNOWN)  SECTRACK  1016590
http://secunia.com/advisories/21219
(VENDOR_ADVISORY)  SECUNIA  21219

- 漏洞信息

ISS RealSecure/BlackICE MailSlot堆溢出检查远程拒绝服务漏洞
中危 缓冲区溢出
2006-07-27 00:00:00 2006-08-28 00:00:00
远程  
         ISS是国际知名的安全厂商,提供多种防火墙和入侵检测设备。
         ISS的保护产品在对SMB_MailSlot_Heap_Overflow(MS06-035/KB917159)漏洞的检测中存在一个拒绝服务漏洞。通过构造特定攻击报文,可以导致检测代码陷入死循环。这可能导致某些ISS保护产品甚至操作系统停止响应。例如,对于BlackICE,会使得BlackICE所在主机网络中断,同时CPU占用率接近百分之百。停止BlackICE引擎并不能恢复正常,需要重启操作系统。
         攻击者只需要发送单包就可以触发此漏洞,无需真正建立SMB会话。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://xforce.iss.net/xforce/alerts/id/230
        

- 漏洞信息 (F48652)

NSFOCUS Security Advisory 2006.7 (PacketStormID:F48652)
2006-07-28 00:00:00
NSFOCUS,Chen Qing  nsfocus.com
advisory,remote,denial of service,overflow
CVE-2006-3840
[点击下载]

The NSFocus Security Team discovered a remote denial of service vulnerability in ISS RealSecure/BlackICE product lines' detection of the MailSlot Heap Overflow as discussed in MS06-035.

NSFOCUS Security Advisory (SA2006-07)

ISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability

Release Date: 2006-07-27

CVE ID: CVE-2006-3840

http://www.nsfocus.com/english/homepage/research/0607.htm

Affected systems & software
===================

RealSecure Network Sensor 7.0
Proventia A Series
Proventia G Series
Proventia M Series
RealSecure Server Sensor 7.0
Proventia Server
RealSecure Desktop 7.0
Proventia Desktop
BlackICE PC Protection 3.6
BlackICE Server Protection 3.6

Unaffected systems & software
===================


Summary
=========

NSFocus Security Team discovered a remote DoS vulnerability in ISS RealSecure/
BlackICE products lines' detection of MailSlot Heap Overflow (MS06-035). By
sending a specific SMB MailSlot packet it's possible to cause DoS in ISS
protection products.

Description
============

There is a DoS vulnerability in ISS protection products' detection of SMB_MailSlot_Heap_Overflow
(MS06-035/KB917159). By sending a specific SMB MailSlot packet it's possible
to cause an infinite loop to occur in the detection code, and the ISS product 
or even the operating system will stop to respond. For example, for BlackICE 
the vulnerability might cause the inerruption of the network traffic, 
and an approximately 100% CPU utilization. STOP BlackICE engine will not restore
normal operation. Instead OS restart is required. 

This vulnerability can be triggered by a single packet. The establishment of 
a real SMB session is not required.  

Workaround
=============

Block ports TCP/445 and TCP/139 at the firewall.
    
Vendor Status
==============

2006.07.24  Informed the vendor
2006.07.25  Vendor confirmed the vulnerability
2006.07.26  ISS has released a security alert and related patches.
            
For more details about the security alert, please refer to:
http://xforce.iss.net/xforce/alerts/id/230

ISS has released the following XPUs to fix this vulnerability:

RealSecure Network 7.0, XPU 24.40
Proventia A Series, XPU 24.40
Proventia G Series, XPU 24.40/1.79
Proventia M Series, XPU 1.79
RealSecure Server Sensor 7.0, XPU 24.40
Proventia Server 1.0.914.1880
RealSecure Desktop 7.0 epk
Proventia Desktop 8.0.812.1790/8.0.675.1790
BlackICE PC Protection 3.6 cpk
BlackICE Server Protection 3.6 cpk

Additional Information
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-3840 to this issue. This is a candidate for inclusion in the 
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===============

Chen Qing of NSFocus Security Team found the vulnerability.

DISCLAIMS
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

    

- 漏洞信息

27550
RealSecure/BlackICE MailSlot Overflow Detection Crafted Packet Remote DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Vendor Verified

- 漏洞描述

- 时间线

2006-07-26 2006-07-24
Unknow Unknow

- 解决方案

ISS has released a patch to address this vulnerability. Additionally, it is possible to temporarily work around the flaw by implementing the following workaround: Block ports TCP/445 and TCP/139 at the firewall.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Internet Security Systems SMB Mailslot Parsing Denial of Service Vulnerability
Design Error 19178
Yes No
2006-07-26 12:00:00 2006-07-28 11:22:00
NSFOCUS Security Team is credited with the discovery of this vulnerability.

- 受影响的程序版本

Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.9
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.8
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.7
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.6
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.5
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.4
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.3
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.2
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.12
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.11
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.10
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.1
Internet Security Systems RealSecure Server Sensor 7.0 XPU 20.19
Internet Security Systems RealSecure Server Sensor 7.0 XPU 20.18
Internet Security Systems RealSecure Server Sensor 7.0 XPU 20.16
Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.4
Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.9
Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.8
Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.7
Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.6
Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.10
Internet Security Systems RealSecure Network Sensor 7.0 XPU 20.12
Internet Security Systems RealSecure Network Sensor 7.0 XPU 20.11
Internet Security Systems RealSecure Network Sensor 7.0
Internet Security Systems RealSecure Desktop 7.0 ebm
Internet Security Systems RealSecure Desktop 7.0 ebl
Internet Security Systems RealSecure Desktop 7.0 ebk
Internet Security Systems RealSecure Desktop 7.0 ebj
Internet Security Systems RealSecure Desktop 7.0 ebh
Internet Security Systems RealSecure Desktop 7.0 ebg
Internet Security Systems RealSecure Desktop 7.0 ebf
Internet Security Systems RealSecure Desktop 7.0 eba
Internet Security Systems Proventia M Series XPU 1.9
Internet Security Systems Proventia M Series XPU 1.8
Internet Security Systems Proventia M Series XPU 1.7
Internet Security Systems Proventia M Series XPU 1.6
Internet Security Systems Proventia M Series XPU 1.5
Internet Security Systems Proventia M Series XPU 1.4
Internet Security Systems Proventia M Series XPU 1.3
Internet Security Systems Proventia M Series XPU 1.2
Internet Security Systems Proventia M Series XPU 1.10
Internet Security Systems Proventia M Series XPU 1.1
Internet Security Systems Proventia G Series XPU 22.9
Internet Security Systems Proventia G Series XPU 22.8
Internet Security Systems Proventia G Series XPU 22.7
Internet Security Systems Proventia G Series XPU 22.6
Internet Security Systems Proventia G Series XPU 22.5
Internet Security Systems Proventia G Series XPU 22.4
Internet Security Systems Proventia G Series XPU 22.3
Internet Security Systems Proventia G Series XPU 22.2
Internet Security Systems Proventia G Series XPU 22.12
Internet Security Systems Proventia G Series XPU 22.11
Internet Security Systems Proventia G Series XPU 22.10
Internet Security Systems Proventia G Series XPU 22.1
Internet Security Systems Proventia A Series XPU 22.9
Internet Security Systems Proventia A Series XPU 22.10
Internet Security Systems Proventia A Series XPU 20.15
Internet Security Systems Proventia A Series XPU 20.14
Internet Security Systems Proventia A Series XPU 20.13
Internet Security Systems Proventia A Series XPU 20.12
Internet Security Systems Proventia A Series XPU 20.11
Internet Security Systems Proventia A Series XPU 22.8
Internet Security Systems Proventia A Series XPU 22.7
Internet Security Systems Proventia A Series XPU 22.6
Internet Security Systems Proventia A Series XPU 22.5
Internet Security Systems Proventia A Series XPU 22.4
Internet Security Systems Proventia A Series XPU 22.3
Internet Security Systems Proventia A Series XPU 22.2
Internet Security Systems Proventia A Series XPU 22.1
Internet Security Systems BlackIce Server Protection 3.6 coq
Internet Security Systems BlackIce Server Protection 3.6 cop
Internet Security Systems BlackIce Server Protection 3.6 coo
Internet Security Systems BlackIce Server Protection 3.6 con
Internet Security Systems BlackIce Server Protection 3.6 com
Internet Security Systems BlackIce Server Protection 3.6 col
Internet Security Systems BlackIce Server Protection 3.6 cok
Internet Security Systems BlackIce Server Protection 3.6 coj
Internet Security Systems BlackIce Server Protection 3.6 coi
Internet Security Systems BlackIce Server Protection 3.6 coh
Internet Security Systems BlackIce Server Protection 3.6 cog
Internet Security Systems BlackIce Server Protection 3.6 cof
Internet Security Systems BlackIce Server Protection 3.6 coe
Internet Security Systems BlackIce Server Protection 3.6 cod
Internet Security Systems BlackIce Server Protection 3.6 coc
Internet Security Systems BlackIce Server Protection 3.6 cob
Internet Security Systems BlackIce Server Protection 3.6 coa
Internet Security Systems BlackIce Server Protection 3.6 cch
Internet Security Systems BlackIce Server Protection 3.6 ccg
Internet Security Systems BlackIce Server Protection 3.6 ccf
Internet Security Systems BlackIce Server Protection 3.6 cce
Internet Security Systems BlackIce Server Protection 3.6 ccd
Internet Security Systems BlackIce Server Protection 3.6 ccc
Internet Security Systems BlackIce Server Protection 3.6 ccb
Internet Security Systems BlackIce Server Protection 3.6 cca
Internet Security Systems BlackIce Server Protection 3.6 cbz
Internet Security Systems BlackIce Server Protection 3.6 cbr
Internet Security Systems BlackIce Server Protection 3.6 .cno
Internet Security Systems BlackICE PC Protection 3.6 cch
Internet Security Systems BlackICE PC Protection 3.6 ccg
Internet Security Systems BlackICE PC Protection 3.6 ccf
Internet Security Systems BlackICE PC Protection 3.6 cce
Internet Security Systems BlackICE PC Protection 3.6 ccd
Internet Security Systems BlackICE PC Protection 3.6 ccc
Internet Security Systems BlackICE PC Protection 3.6 ccb
Internet Security Systems BlackICE PC Protection 3.6 cca
Internet Security Systems BlackICE PC Protection 3.6 cbz
Internet Security Systems BlackICE PC Protection 3.6 cbr
Internet Security Systems BlackICE PC Protection 3.6 cbd
Internet Security Systems BlackICE PC Protection 3.6 .cno
Internet Security Systems BlackICE PC Protection 3.6 .cbz

- 漏洞讨论

The Internet Security Systems implementation of SMB/TCP Mailslot is prone to a denial-of-service vulnerability. This issue is due to a design error when dealing with certain legitimate SMB Mailslot traffic.

An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released a patch to address this issue.

Please see the referenced advisories for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站