[Snort-sigs] Real Networks vulnerability
corinth at ...121...
Fri Aug 29 04:07:05 EDT 2003
Here's some info from SYmantec regarding some new reconnaissance attempts
regarding a flow by Real Networks.
Are there any existing rules which might trigger at this sort of activity ?
Symantec has seen an increase in scanning activity for port(s) 554 and port
80 over the last 24 hours.
The port 554 activity may relate to a recently disclosed Helix Universal
Server vulnerability by Real Networks that relates to streaming video. The
substantial increase in scanning activity could be indicative of an exploit
being tested prior to an attack, i.e. a typical reconnaissance. Exploit
code is known for this vulnerability. Such a threat could allow an
attacker to gain root access to the target host. No active exploits have
been seen at present.
This will impact organisations with :
Hosting video streaming capabilities
Hosting web casts that cross the Internet as opposed to being entirely
There is a potential that if the attacker gains control of the video server
they will then be able to use that server as an access point through to
Customers that use streaming video services internally or externally are
advised to :
1. Research the solution being suggested by RealNetworks
2. Monitor port 554 for signs of any increased activity.
Further information can be gained from Deepsight TMS or the RealNetworks
More information about the Snort-sigs