关键漏洞信息 漏洞概述 Advisory ID: SYMSA-2006-013 Vulnerability Title: Multiple Vulnerabilities in Mandiant First Response Author: Brian Reilly Release Date: 18-12-2006 Application: Mandiant First Response 1.1 Platform: Windows 2000/XP/2003 漏洞详情 CVE Numbers: CVE-2006-6475, CVE-2006-6476, CVE-2006-6477 Vulnerability #1: Denial of Service against an SSL agent through malformed client requests Description: When run in daemon mode, the First Response agent (FRAgent.exe) accepts remote connections from a First Response console via HTTP or a modified HTTPS implementation. By sending a series of specially-crafted requests to an SSL-enabled agent, it is possible to force the agent to throw an exception that is not properly handled. This results in a CLOSE_WAIT state, requiring a restart to recover. Vulnerability #2: Denial of Service against an HTTP or SSL agent through agent hijacking Description: An FRAgent daemon permits multiple processes to bind to the same socket. A rogue process can intercept client connections and prevent legitimate client connections. Vulnerability #3: Command Console and Data Manipulation through HTTP agent hijacking Description: If an HTTP FRAgent daemon is hijacked, the attacker can control the response data sent to and processed by a client. This allows for man-in-the-middle attacks and can force the client to download arbitrary content. 厂商响应 Mandiant: Confirmed the reports and released version 1.1.1 to address the vulnerabilities. Available for download from http://www.mandiant.com/firstresponse.htm. 推荐措施 Upgrade: To MFR version 1.1.1, available at http://www.mandiant.com/firstresponse.htm. 其他 The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues: CVE-2006-6475, CVE-2006-6476, CVE-2006-6477.