__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow [US-CERT Vulnerability Note VU#513068] January 19, 2007 18:00 GMT Number R-110 ______________________________________________________________________________ PROBLEM: The eIQnetworks Enterprise Security Analyzer (ESA) Syslog server contains a buffer overflow vulnerability. PLATFORM: OEM versions of ESA, including Astaro Report Manager, Fortinet FortiReporter, iPolicy Security Reporter, SanMina Viking Multi-Log Manager, Secure Computing G2 Security Reporter, and Top layer Network Security Analyzer DAMAGE: May allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. SOLUTION: Upgrade to version 4.5.4 or later. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. May allow a remote, unauthenticated ASSESSMENT: attacker to execute arbitrary code on a vulnerable system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-110.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/513068 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-3838 ______________________________________________________________________________ [***** Start US-CERT Vulnerability Note VU#513068 *****] Vulnerability Note VU#513068 eIQnetworks Enterprise Security Analyzer Syslog server buffer overflow Overview The eIQnetworks Enterprise Security Analyzer Syslog server contains a buffer overflow vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. I. Description Enterprise Security Analyzer eIQnetworks Enterprise Security Analyzer (ESA) "... provides essential real-time security intelligence to help decipher hacker/virus behavior, combat security threats and meet regulatory compliance requirements across the entire IT infrastructure – network devices and hosts." ESA is also provided on an OEM basis as Astaro Report Manager, Fortinet FortiReporter, iPolicy Security Reporter, SanMina Viking Multi-Log Manager, Secure Computing G2 Security Reporter, and Top Layer Network Security Analyzer. ESA Syslog server The ESA Syslog server is provided by the SyslogServer.exe executable. This server collects data from managed machines and listens on 10617/tcp. The problem The ESA Syslog server contains a buffer overflow vulnerability. II. Impact A remote, unauthenticated attacker may be able to execute arbitrary code on a system running the vulnerable Syslog component. III. Solution Apply an update This vulnerability is addressed in eIQnetworks ESA 2.5.0. OEM versions of ESA, including Astaro Report Manager, Fortinet FortiReporter, iPolicy Security Reporter, SanMina Viking Multi-Log Manager, Secure Computing G2 Security Reporter, and Top Layer Network Security Analyzer should be updated to version 4.5.4 or later. Restrict access You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by eIQnetworks ESA Syslog server (typically 10617/tcp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. Systems Affected Vendor Status Date Updated Astaro Vulnerable 1-Aug-2006 eIQnetworks Vulnerable 1-Aug-2006 Fortinet, Inc. Vulnerable 1-Aug-2006 iPolicy Networks Not Vulnerable 16-Aug-2006 Secure Computing Network Security Division Vulnerable 1-Aug-2006 Top Layer Networks, Inc. Vulnerable 1-Aug-2006 Viking InterWorks Vulnerable 1-Aug-2006 References http://www.eiqnetworks.com/support/Security_Advisory.pdf http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurity Analyzer/ESA_2.5.0_Release_Notes.pdf http://www.zerodayinitiative.com/advisories/TSRT-06-03.html http://www.zerodayinitiative.com/advisories/ZDI-06-023.html http://secunia.com/advisories/21211/ http://secunia.com/advisories/21213/ http://secunia.com/advisories/21214/ http://secunia.com/advisories/21215/ http://secunia.com/advisories/21217/ http://www.auscert.org.au/6544 Credit This vulnerability was disclosed by TippingPoint, who in turn credit Cody Pierce. This document was written by Will Dormann. Other Information Date Public 07/26/2006 Date First Published 01/18/2007 01:58:06 PM Date Last Updated 01/18/2007 CERT Advisory CVE Name CVE-2006-3838 Metric 34.79 Document Revision 13 [***** End US-CERT Vulnerability Note VU#513068 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-100: Opera Web Browser Object Typecasting Vulnerability R-101: Multiple Vulnerabilities in Cisco Secure Access Control Server R-102: Vulnerability in Microsoft Outlook (925938) R-103: Vulnerability in Vector Markup Language (929969) R-104: Vulnerabilities in Microsoft Excel (927198) R-105: XFree86 and xorg-x11 Security Update R-106: libgsf Security Update R-107: HP OpenView Network Node Manager (OV NNM) Remote Unauthorized Execution of Arbitrary Code R-108: Security Vulnerability in Processing GIF Images in the Java Runtime Environment R-109: Security Vulnerabilities: Buffer Overrun in NetMail 3.52