Novell BorderManager 3.5 Remote Slow Death

From: Chicken Man (chicknmonat_private)
Date: Tue Feb 08 2000 - 16:58:58 PST

Next message: MJE: "Re: cookies - nothing new"

Previous message: Julian Midgley: "Zeus Web Server: Null Terminated Strings"
Next in thread: Ron van Daal: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Ron van Daal: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Matthew Firth: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Michael R. Rudel: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Puchatek: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Kevin Novak: "Re: Novell BorderManager 3.5 Remote Slow Death"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On a (default) installation of BorderManager 3.5 sp1, spc02 running on
NetWare 5.0 sp3a with nici 1.3.1, telnet to port 2000 on the firewall (on
either the public or private interfaces) and hit enter a few times.
Utilization will jump (to 67% on our systems), and the console will
immediately report an error similar to the following:

1-27-2000   9:34:47 am:   SERVER-5.0-830  [nmID=2000A]
    Short Term Memory Allocator is out of Memory.
    1 attempts to get more memory failed.

The telnet session will not disconnect, unless you manually close the
connection. Over the course of two days (every few minutes or so, YMMV) the
error will repeat, with the number of attempts steadily increasing (by
several million each time). Eventually (again, for us it was two days, YMMV)
the firewall will deny all requests, and eventually crash completely.

Further symptoms:

Using tcpcon you can see something listening on port 2000. If the telnet
session has been closed from the remote end, tcpcon reports that the
previous session is in a "closewait" state. It may be possible to do more
bad things since this entry never clears automatically (i.e. use up the rest
of system resources by opening and closing connections to this port). It can
be cleared using tcpcon.

The misbehaving NLM is CSATPXY.NLM. It is the CS Audit Trail Proxy, which is
apparently loaded by default on a BorderManager 3.5 install. From what
various people tell me, it could also be installed on non-BorderManger
Novell servers (though probably not by default) which means this
vulnerability may extend beyond BorderManager 3.5.

Novell was contacted regarding this and the answer was "unload the NLM".
Unloading the NLM does stop the slow death. Rebooting will reload the NLM so
it must be taken out of whatever loads it on boot, of course.

<RANT>
Why is the port even accessable from the outside (or the inside for that
matter)? The default BorderManager packet filtering rules indictate that
pretty much everything is being passed. Why is the NLM loaded by default?
Tcpcon shows various other services running that shouldn't be either
(chargen, echo, etc). Why? What other vulnerabilities am I missing?
</RANT>

enjoy,
     ChicknMon



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Next message: MJE: "Re: cookies - nothing new"
Previous message: Julian Midgley: "Zeus Web Server: Null Terminated Strings"
Next in thread: Ron van Daal: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Ron van Daal: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Matthew Firth: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Michael R. Rudel: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Puchatek: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Kevin Novak: "Re: Novell BorderManager 3.5 Remote Slow Death"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:54 PDT