ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability

Solution:
The official response from ISS on this issue is as follows:

We have currently identified and can confirm the
following based on exploit information in the security bulletin and what
we have received from Modulo and ISS research of the issues:

(1) A patch for Network Sensor 3.2.2 is available to
fix the Syn Flood issue. You must have an updated maintenance license
before downloading and installing this patch. Please read the release
notes first before installing. The patch can be downloaded at:

ftp://ftp.iss.net/private/support/patch/realsecure32/

(2) RealSecure 5.0 is not affected by the Syn Flood
issue brought up in the security bulletin,

(3) The command provided by Modulo produces a flood
of ipfrag events (thus throttling the console), but does not otherwise
affect the engine. RealSecure Network Sensor 5.0 contains a filter on the
ipfrag event which prevents it from being logged more than once per source
ip / destination ip pair.

Since RealSecure Network Sensor 3.2 supports the
advanced dialog through the console's policy editor, the ipfrag event can
be tweaked to also use these same filter settings, preventing the console
flood:
same_source_ip
same_destinaion_ip
protect_from_flood



 

Privacy Statement
Copyright 2010, SecurityFocus