From xforce@iss.net Fri Apr  2 00:11:16 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Wed, 31 Mar 1999 15:28:22 -0500 (EST)
Subject: ISSalert: ISS Security Advisory -- WebRamp Denial of Service Attacks

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------


-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory -- WebRamp Denial of Service Attacks
March 31, 1999

Synopsis:

Ramp Networks (http://www.rampnet.com/) WebRamp Internet access devices
allow multiple computers to share a dialup connection. The WebRamp family
of Internet access devices are designed for small businesses that require
cost-effective, high-speed Internet access on every desktop.

WebRamp is vulnerable to two denial of service attacks that allow an
attacker to either crash the WebRamp device or change its IP address.
When the device crashes, it will have to be manually reset before
it will dial up. If an attacker changes the IP address of the WebRamp,
none of the machines on your network will be able to find it, so no
machines will be able to access the Internet via the WebRamp. The device
will still function as a network hub, so your intra-LAN connectivity will
not be disrupted.


Description:

WebRamp crash/denial of service attack: Sending a specially formatted string
of characters to the HTTP port of the WebRamp causes the device to hang,
requiring a manual reset.

WebRamp IP address change: Sending a specially-formatted UDP packet to port
5353 changes the WebRamp's local IP address, effectively 'hiding' the
device from the rest of your machines. The WebRamp is still connected to
the Internet and its PPP IP address is unchanged.

Recommendations:

If an attacker has crashed your WebRamp, then manually reset it by turning
it off and on again.

If an attacker has changed the IP address, use WRFINDER.EXE on the WebRamp
installation CD to change the address to a proper value.


Fix Information:

Go to http://www.rampnet.com/upgrades to get the latest firmware for your
model of WebRamp.


Additional Information:

Information in this advisory was obtained by the research of Jon Larimer
<jlarimer@iss.net> of the ISS X-Force. ISS X-Force would like to thank
Ramp Networks <http://www.rampnet.com> for their assistance with testing
on WebRamp devices and providing fix information.

________

Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the electronic redistribution of this
Security Advisory.  It is not to be edited in any way without express
consent of the X-Force.  If you wish to reprint the whole or any part of
this Security Advisory in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.

Internet Security Systems, Inc. (ISS) is the leading provider of adaptive
network security monitoring, detection, and response software that
protects the security and integrity of enterprise information systems.  By
dynamically detecting and responding to security vulnerabilities and
threats inherent in open systems, ISS's SAFEsuite family of products
provide protection across the enterprise, including the Internet,
extranets, and internal networks, from attacks, misuse, and security
policy violations.  ISS has delivered its adaptive network security
solutions to organizations worldwide, including firms in the Global 2000,
nine of the ten largest U.S. commercial banks, and over 35 governmental
agencies.  For more information, call ISS at 678-443-6000 or 800-776-2362
or visit the ISS Web site at http://www.iss.net.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as
well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNwEjQTRfJiV99eG9AQHS2AQAilU+R2J0pU2DMi+0CBMjl1zwIPob990s
n4ECDLLimt66TLeZW3fBxstHOzWUJ1YRPm/Ahb0oeyDqx54Cv4LA3uZttq5mZ2+d
d84nPbznpzC6Q/9eqVX8tNF0cp2TNc2eIqkwV4I1ZZ68JMkepmglT73mPqpzWJL8
fIT8UGYykDs=
=4bwl
-----END PGP SIGNATURE-----