Briley Hassell-Jack of eEye Digital Security has discovered a vulnerability in multiple ISS products, which can be exploited to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the PAM (Protocol Analyses Module) component within a routine used for monitoring ICQ server responses. This can be exploited to cause a buffer overflow by sending a specially crafted response packet with a source port of 4000/UDP to the broadcast address of a network with vulnerable systems.

Successful exploitation may allow execution of arbitrary code with SYSTEM privileges on all vulnerable systems.

The following products are affected:
* BlackICE Agent for Server 3.6 ecf and before
* BlackICE PC Protection 3.6 ccf and before
* BlackICE Server Protection 3.6 ccf and before
* RealSecure Desktop 7.0 ebl and before
* RealSecure Desktop 3.6 ecf and before
* RealSecure Guard 3.6 ecf and before
* RealSecure Sentry 3.6 ecf and before
* RealSecure Network 7.0, XPU 22.11 and before
* RealSecure Server Sensor 7.0 XPU 22.11 and before
* RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
* Proventia A Series XPU 22.11 and before
* Proventia G Series XPU 22.11 and before
* Proventia M Series XPU 1.9 and before

NOTE: A worm ("Witty") has been discovered in the wild exploting this vulnerability.

Solution
The following updates are available or will be available shortly from the ISS Download Center:
Further details available in Customer Area

Provided and/or discovered by
Briley Hassell-Jack (Riley Hassell and Barnaby Jack), eEye Digital Security.

Changelog
Further details available in Customer Area

Original Advisory
ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/166
http://xforce.iss.net/xforce/alerts/id/167

eEye Digital Security:
http://www.eeye.com/html/Research/Advisories/AD20040318.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area