From xforce@iss.net Fri Apr 2 00:11:16 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Wed, 31 Mar 1999 15:28:22 -0500 (EST) Subject: ISSalert: ISS Security Advisory -- WebRamp Denial of Service Attacks TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory -- WebRamp Denial of Service Attacks March 31, 1999 Synopsis: Ramp Networks (http://www.rampnet.com/) WebRamp Internet access devices allow multiple computers to share a dialup connection. The WebRamp family of Internet access devices are designed for small businesses that require cost-effective, high-speed Internet access on every desktop. WebRamp is vulnerable to two denial of service attacks that allow an attacker to either crash the WebRamp device or change its IP address. When the device crashes, it will have to be manually reset before it will dial up. If an attacker changes the IP address of the WebRamp, none of the machines on your network will be able to find it, so no machines will be able to access the Internet via the WebRamp. The device will still function as a network hub, so your intra-LAN connectivity will not be disrupted. Description: WebRamp crash/denial of service attack: Sending a specially formatted string of characters to the HTTP port of the WebRamp causes the device to hang, requiring a manual reset. WebRamp IP address change: Sending a specially-formatted UDP packet to port 5353 changes the WebRamp's local IP address, effectively 'hiding' the device from the rest of your machines. The WebRamp is still connected to the Internet and its PPP IP address is unchanged. Recommendations: If an attacker has crashed your WebRamp, then manually reset it by turning it off and on again. If an attacker has changed the IP address, use WRFINDER.EXE on the WebRamp installation CD to change the address to a proper value. Fix Information: Go to http://www.rampnet.com/upgrades to get the latest firmware for your model of WebRamp. Additional Information: Information in this advisory was obtained by the research of Jon Larimer of the ISS X-Force. ISS X-Force would like to thank Ramp Networks for their assistance with testing on WebRamp devices and providing fix information. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the electronic redistribution of this Security Advisory. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Security Advisory in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection, and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks, and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNwEjQTRfJiV99eG9AQHS2AQAilU+R2J0pU2DMi+0CBMjl1zwIPob990s n4ECDLLimt66TLeZW3fBxstHOzWUJ1YRPm/Ahb0oeyDqx54Cv4LA3uZttq5mZ2+d d84nPbznpzC6Q/9eqVX8tNF0cp2TNc2eIqkwV4I1ZZ68JMkepmglT73mPqpzWJL8 fIT8UGYykDs= =4bwl -----END PGP SIGNATURE-----