[ISN] Security hole discovered in Symantec firewalls

From: InfoSec News (isnat_private)
Date: Wed Oct 16 2002 - 23:48:48 PDT

  • Next message: InfoSec News: "[ISN] Beta hack rattles Microsoft"

    By Paul Roberts
    IDG News Service, 10/16/02
    A flaw discovered in a common component of Symantec's firewall
    technology leaves a number of that company's products vulnerable to
    denial-of-service attacks, according to a bulletin released by the
    company and by Advanced IT Security AS, a security services firm with
    headquarters in Copenhagen, Denmark.
    The security hole was discovered in the Web proxy component of
    Symantec's Enterprise Firewall product, also known as "Simple Secure
    Webserver 1.1."
    The vulnerability concerns the way the Web server handles requests for
    URLs, addresses used to access Web pages and other resources on the
    According to a security advisory posted on Advanced IT Security's Web
    site, requests from an attacker for registered but unavailable
    Internet domains cause the Symantec Web server to pause for as long as
    five minutes waiting for a reply. During that time, the entire
    firewall ceases to respond to other, legitimate requests, affecting
    not only Web traffic to the domain that would go through the firewall,
    but other types of Internet traffic as well, according to Tommy
    Mikalsen, CTO of Advanced IT.
    Symantec issued a bulletin and a patch Monday for the affected
    products on its Web page and advises its customers to keep their
    products and operating systems updated with the latest software
    There appears to be disagreement between Advanced IT and Symantec,
    however, on the scope of the problem. Symantec's advisory states that
    only requests related to URLs featuring the domain protected by the
    Symantec firewall - as opposed to any domain on the Internet - would
    produce the timeout. Advanced IT claims that URLs featuring any
    Internet domain will cause the firewall to fail, according to
    To take advantage of the flaw, attackers would need to, for example,
    turn off DNS services for an existing domain under their control, then
    issue a flood of requests to the targeted Symantec firewall for that
    domain, according to Mikalsen.
    Because the Web server is a common component of Symantec's firewall
    technology, the vulnerability reported by Advanced IT Security affects
    a wide range of Symantec's products. In its security alert, Symantec
    listed the Raptor Firewall for Windows NT and Solaris; the Symantec
    Enterprise Firewall for Windows 2000, Windows NT, and Solaris; the
    VelociRaptor models 500, 700, 1000, 1100, 1200, and 1300; and the
    Symantec Gateway Security 5110, 5200, and 5300 products as affected by
    the vulnerability.
    Also Monday, Advanced IT released a second advisory concerning what it
    described as an "information leak" in the Symantec Web server.  
    According to that advisory, differences in the wording of messages
    returned to outside users by the Web server for valid- and invalid
    host requests could allow an attacker to determine the addresses of
    hosts behind a Symantec firewall.
    In an extreme example, this vulnerability could enable an attacker to
    scan a company network for IP addresses and map the network's topology
    just by analyzing the messages returned by the Symantec Web server.  
    But, according to Mikalsen, that wouldn't even be necessary.
    "As long as you can find one or two hosts within a network, you can
    infiltrate them and use them for your purposes,"? Mikalsen said.
    That vulnerability affects the Raptor Firewall version 6.5 for Windows
    NT and Version 6.5.3 for Solaris, as well as the Symantec Enterprise
    Firewall version 6.5.2 for Windows 2000 and NT, according to the
    advisory from Advanced IT.
    According to Mikalsen, Symantec informed Advanced IT that it has known
    about the information leak vulnerability since 2001 and that the
    problem had been fixed with a patch released last summer.
    Symantec could not immediately be reached for comment on either
    vulnerability reported by Advanced IT.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 02:33:33 PDT