[Snort-sigs] Real Networks vulnerability

J-H. Johansen corinth at ...121...
Fri Aug 29 04:07:05 EDT 2003

Here's some info from SYmantec regarding some new reconnaissance attempts
regarding a flow by Real Networks.

Are there any existing rules which might trigger at this sort of activity ?

Jens-Harald Johansen


Symantec has seen an increase in scanning activity for port(s) 554 and port

80 over the last 24 hours.

The port 554 activity may relate to a recently disclosed Helix Universal

Server vulnerability by Real Networks that relates to streaming video. The

substantial increase in scanning activity could be indicative of an exploit

being tested prior to an attack, i.e. a typical reconnaissance. Exploit

code is known for this vulnerability. Such a threat could allow an

attacker to gain root access to the target host. No active exploits have

been seen at present.

This will impact organisations with :

Hosting video streaming capabilities

Hosting web casts that cross the Internet as opposed to being entirely


There is a potential that if the attacker gains control of the video server

they will then be able to use that server as an access point through to

other servers.

Customers that use streaming video services internally or externally are

advised to :

1. Research the solution being suggested by RealNetworks


2. Monitor port 554 for signs of any increased activity.

Further information can be gained from Deepsight TMS or the RealNetworks

web site.

More information about the Snort-sigs mailing list