Multiple Vulnerabilities in Mandiant First Response

Risk: Medium
Local: Yes
Remote: Yes

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Vulnerability Research Security Advisory Advisory ID: SYMSA-2006-013 Advisory Title: Multiple Vulnerabilities in Mandiant First Response Author: Brian Reilly / brian_reilly (at) symantec (dot) com [email concealed] Release Date: 18-12-2006 Application: Mandiant First Response 1.1 Platform: Windows 2000/XP/2003 Severity: Multiple -- Denial of Service, Data Manipulation, Client/Server Hijacking Vendor status: New Version of product available CVE Number: CVE-2006-6475, CVE-2006-6476, CVE-2006-6477 Reference: Overview: Mandiant First Response is an incident response tool to collect system information such as running processes, system services, registry information, event logs, and file lists from a local or remote host. The First Response agent (FRAgent.exe) can be installed and configured as a daemon on target hosts in order to collect information remotely via a First Response Command Console. Multiple vulnerabilities exist that could lead to a variety of attack payloads. Agents running in either HTTP or SSL mode are vulnerable to denial of service and server hijacking conditions. The server hijacking vulnerability present in HTTP agents can be further leveraged to allow a rogue process to intercept and modify legitimate agent/console communication, and force a Command Console to download arbitrary content and visit arbitrary URLs. Details: Vulnerability #1: Denial of Service against an SSL agent through malformed client requests When run in daemon mode, the First Response agent (FRAgent.exe) accepts remote connections from a First Response console via HTTP or a modified HTTPS implementation. By sending a series of specially-crafted requests to an SSL-enabled agent, it is possible to force the agent to throw an exception that is not properly handled. After this occurs, the agent's sockets will enter an indefinite CLOSE_WAIT state and all subsequent connection attempts will be refused. The service then must be restarted in order to recover and accept connections again. Vulnerability #2: Denial of Service against an HTTP or SSL agent through Agent hijacking An FRAgent daemon permits other processes to bind to the same socket addresses on which it is already listening. If FRAgent is bound to a wildcard address ("all interfaces"), a rogue process can intercept client connections by subsequently binding to the same port on a specific IP address. By hijacking an agent with a non-responsive listener, an attacker can effectively prevent all legitimate client connections. Vulnerability #3: Command Console and Data Manipulation through HTTP Agent Hijacking If an HTTP FRAgent daemon is hijacked, the attacker can control the response data sent to and processed by a client, as well as other aspects of client behavior. A rogue process can conduct a man-in-the-middle attack to redirect and modify all requests and responses between the client and a legitimate agent. The attacker can also send specially-crafted HTTP responses that force the client to visit arbitrary URLs and/or download arbitrary content. (NOTE: The use of HTTPS/SSL is default behavior for First Response; using cleartext HTTP requires manual configuration.) Vendor Response: Mandiant has confirmed the reports provided by Symantec and updated Mandiant First Response (MFR) to correct these issues. Version 1.1.1 is now available for download from Mandiant advises all users of MFR to upgrade to 1.1.1 as soon as possible. Registered users of the software have been notified via email of availability of the upgrade. During the course of our review we noted the following addenda to Symantec's analysis: Vulnerability 1: The DoS condition was due to a design error where the Agent would choose to exit upon receipt of a malformed request. The exit was an explicit choice exercised by the code path and not caused by a buffer overflow or heap corruption. Version 1.1.1 addresses the explicit exit condition and correctly handles requests with malformed payloads, allowing the MFR Agent to continue operation while correctly rejecting malformed requests. Vulnerability 2 and 3: The vulnerabilities are present because the MFR Agent opens its listening port in non-exclusive mode. Version 1.1.1 correctly opens the port as exclusive, preventing the multiple-bind condition. Mandiant would like to thank Brian Reilly and Scott King for discovering and notifying us of these vulnerabilities, and Symantec for their participation in public disclosure. Recommendation: Upgrade to MFR version 1.1.1, available at Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (, which standardizes names for security problems. CVE-2006-6475, CVE-2006-6476, CVE-2006-6477 - -------Symantec Vulnerability Research Advisory Information------- For questions about this advisory, or to report an error: research (at) symantec (dot) com [email concealed] For details on Symantec's Vulnerability Reporting Policy: Symantec Vulnerability Research Advisory Archive: Symantec Vulnerability Research GPG Key: - -------------Symantec Product Advisory Information------------- To Report a Security Vulnerability in a Symantec Product: secure (at) symantec (dot) com [email concealed] For general information on Symantec's Product Vulnerability reporting and response: Symantec Product Advisory Archive: Symantec Product Advisory PGP Key: sc - --------------------------------------------------------------- Copyright (c) 2006 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from cs_advisories (at) symantec (dot) com. [email concealed] Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFgaecuk7IIFI45IARAg3oAJ9SwOll1ACKiUVE+bxq4gaBYe5KPQCeMZGJ d0+CXnzUBbhj51j9rvqGF7k= =E8pd -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top