1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. OS Attack: Microsoft Windows SMB Remote Code Execution 6

OS Attack: Microsoft Windows SMB Remote Code Execution 6

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to exploit a vulnerability in the ISS Protocol Analysis Module.

Additional Information

The Internet Security Systems (ISS) Protocol Analysis Module is prone to a remotely exploitable heap overrun vulnerability. This module is used to parse network protocols and is included in a number of products provided by ISS, including various RealSecure and BlackICE releases.

The following software is affected by this issue:
RealSecure Network 7.0, XPU versions 20.15 through 22.9
RealSecure Server Sensor 7.0 XPU versions 20.16 through 22.9
Proventia A Series XPU versions 20.15 through 22.9
Proventia G Series XPU versions 22.3 through 22.9
Proventia M Series XPU versions 1.3 through 1.7
RealSecure Desktop 7.0 versions eba through ebh
RealSecure Desktop 3.6 versions ebr through ecb
RealSecure Guard 3.6 versions ebr through ecb
RealSecure Sentry 3.6 versions ebr through ecb
BlackICE PC Protection 3.6 versions cbr through ccb
BlackICE Server Protection 3.6 versions cbr through ccb

The issue exists in the SMB parsing routines provided by the module. In particular, there is insufficient bounds checking of data supplied in SMB "Setup AndX" requests. The particular issue may be triggered during authentication by sending such a request with an AccountName parameter string of 300 bytes or more in length. This may reportedly be exploited without needing to pass the negotiation phase of the protocol.

This issue could potentially be exploited to execute arbitrary code on systems hosting the vulnerable software, potentially resulting in system compromise.

Affected

  • Internet Security Systems BlackICE PC Protection 3.6.cbz, 3.6 cbr, 3.6 ccb
  • Internet Security Systems BlackIce Server Protection 3.6 cbr, 3.6 cbz, 3.6 ccb
  • Internet Security Systems Proventia A Series XPU 20.15, XPU 22.9
  • Internet Security Systems Proventia G Series XPU 22.3, XPU 22.9
  • Internet Security Systems Proventia M Series XPU 1.3, XPU 1.7
  • Internet Security Systems RealSecure Desktop 3.6 ebr, 3.6 eca, 3.6 ecb, 7.0 eba, 7.0 ebg, 7.0 ebh
  • Internet Security Systems RealSecure Guard 3.6 ebr, 3.6 ecb
  • Internet Security Systems RealSecure Network Sensor 7.0 XPU 20.11, 7.0 XPU 22.9
  • Internet Security Systems RealSecure Sentry 3.6 ebr, 3.6 ecb
  • Internet Security Systems RealSecure Server Sensor 7.0 XPU 20.16, 7.0 XPU 20.18, 7.0 XPU 20.19, 7.0 XPU 22.9
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube