Check Point Advisories

ISS ICQ Parsing - Ver2 (CVE-2004-0362)

Check Point Reference: CPAI-2004-214
Date Published: 18 May 2015
Severity: Critical
Last Updated: Thursday 09 June, 2016
Source:
Industry Reference:CVE-2004-0362
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description There is a vulnerability within several ISS security products, including BlackICE, RealSecure, and Proventia, in the way they parse the ICQ messaging protocol. An attacker, exploiting this vulnerability, can cause a buffer overflow, resulting in the termination of a service or execution of arbitrary code. The affected service on the target machine may terminate when receiving the malformed ICQ server response message. However, if the message involved in the attack is crafted carefully, it is possible for the attacker to inject and execute arbitrary code on the target. The attacker is able to run this code in the context of the remote service, which is LOCAL_SYSTEM. Depending on the nature of the injected code, the service may either terminate or continue to run. In the event that an attack causes service termination, the administrator of the remote machine will need to restart the service in order to regain the provided functionality. In the case of a witty worm attack, an infected system will send large amounts of UDP traffic, consisting of attack messages, to random destination IP addresses, which may overload local networks.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the ISS ICQ Parsing - Ver2 protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Instant Messenger.
Attack Information:  ISS ICQ Parsing - Ver2

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK