SNI-24: IDS Vulnerabilities

Secure Networks Inc. (sni@SECURENETWORKS.COM)
Mon, 09 Feb 1998 14:57:44 -0700

###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.

Secure Networks Inc.
Technical Paper Announcement
February 9, 1997

Vulnerabilities in Network Intrusion Detection Software

This posting is being released to announce a technical paper outlining
vulnerabilities in commonly deployed "network-based" intrusion detection
systems, including ISS RealSecure, AbirNet SessionWall-3, WheelGroup NetRanger,
and Network Flight Recorder. Due to fundemental flaws in the manner by which
these systems collect information, it is possible for an attacker to evade
detection. Additionally, ID systems that provide "reactive" capabilities can
be leveraged via spoofing attacks by an attacker to commit denial-of-service
attacks against the networks they protect.

This paper is available via our website in the following formats:

- Executive Summary in Word Format
http://www.securenetworks.com/papers/ids-simple.doc

- Full Paper in HTML Format
http://www.securenetworks.com/papers/ids-html/

- Full Paper in PostScript Format
http://www.securenetworks.com/papers/IDS.PS

- Full Paper in PDF Format
http://www.securenetworks.com/papers/IDS.PDF

- A press release for this paper is available at:
http://www.securenetworks.com/news/press.html

Tested Systems:
~~~~~~~~~~~~~~~

We tested ISS RealSecure version 1.0.97.224 for Windows NT.

We tested WheelGroup Corporation's NetRanger product in version 1.2.2.

We tested the most recent evaluation release of AbirNet SessionWall-3,
version 1, release 2, build v1.2.0.26 for Windows NT.

We tested Network Flight Recorder's NFR version 1.5. NFR is not
specifically a network intrusion detection system, and our results apply
only to NFR when used as an engine for network ID.

All tested systems were vulnerable to problems that would allow a remote
attacker to launch undetected attacks against networks protected by these
intrusion detection systems.

Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@securenetworks.com>
Secure Networks <security@securenetworks.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- -----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1998 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

You can find Secure Networks papers at ftp://ftp.securenetworks.com/pub/papers
and advisories at ftp://ftp.securenetworks.com/advisories

You can browse our web site at http://www.securenetworks.com

You can subscribe to our security advisory mailing list by sending mail to
majordomo@securenetworks.com with the line "subscribe sni-advisories"

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCUAwUBNJgc67gIhFKeVQANAQFP3QP4olaaL2eWY+H9iZkPv/p+JikfR75mtOmI
jXYcv4bgg9lYu3TFS/QoA91b8TYIcLyfTFWiAtEbTNAIvi76ofw9SFwP4J7YRqSf
eQzrQXbyqW4WYJtk3pRm7aGQ3+X6o3Erq3anUJ8pJyE4e5A7qmYZKp9vSECHmoPV
I1ys8i7zvg==
=MFnD
-----END PGP SIGNATURE-----