Multiple products from intrusion detection vendor Internet Security Systems (ISS) share an identical vulnerability that can allow the remote execution of arbitrary code. Network security vendor eEye, which found the flaws, recommends patching to fix the problem. Mitigation may also be possible.
The vulnerability exists in a common component of multiple products of the RealSecure and BlackICE product lines from ISS. The error occurs in the Protocol Analysis Module (PAM) parsing routine component, which is responsible for reassembling Server Message Block (SMB) packets after analysis. A remote attacker can send a specially crafted SMB packet with a too-long AccountName field that overwrites heap memory. This may permit execution of arbitrary code with system privileges. However, the attacker must establish a legitimate SMB session before launching an attack, which may reduce the risk. Since all packets must be processed, even the most restrictive program settings will not prevent the problem.
The vulnerability affects RealSecure Network 7.0, Real Secure Server Sensor 7.0, Proventia A Series, Proventia G Series, Proventia M Series, RealSecure Desktop, RealSecure Guard, RealSecure Sentry, BlackICE PC Protection and BlackICE Server Protection. ISS has issued patches. Mitigation is also possible by blocking SMB traffic at the perimeter.
eEye Digital Security took the controversial step of sending an advisory out on these vulnerabilities before a patch was available. The company says its goal is to make administrators aware of the existence of problems, while prodding software vendors to speed delivery of patches.
The statement comes after eEye remained mum for 200 days while waiting for Microsoft to release a patch last month for a critical vulnerability in its Windows software.