-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Date Published: April 20th 2001 Advisory ID: HI200101 Bugtraq ID: 2623 CVE CAN: N/A Title: Novell BorderManager 3.5 VPN Denial of Service Class: Denial of Service Remotely Exploitable: yes Locally Exploitable: yes Vulnerability Description: Novell BorderManager is described on Novell's web site as "a powerful Internet security management suite that offers industry leading firewall, authentication, virtual private network (VPN), and caching services to organizations of all sizes." Client to site VPN services can be halted by a SYN flood attack on port 353, causing the port to close and the service to cease functioning until the server is rebooted. Vulnerable Packages/Systems: [Confirmed] Novell BorderManager Enterprise Edition 3.5 [Suspected] Novell BorderManager 3.0 - 3.6 Solution/Vendor Information/Workaround: None provided Vendor notified on: 15th March 2001 It was specified in the email that the report was being made in accordance with RDPolicy 2.0. An automatic response was received from "The Novell Security Team", but no further communication was received. Technical Description: When using client to site VPN, one of the ports open on the outbound interface of the BorderManager server is 353, which allows for initial handshaking between VPN Client & Server to exchange the Keys. Sending out multiple SYN requests to a port on the server will cause exhaustion of the available TCP connections on the server. The following command will open multiple connections to port 353; for /l %%h in (1, 1, 300) do nc -d -z 192.168.1.1 353 Once ~256 connections are made the port fails to respond to further SYN requests, and the server logs show that all further connections are refused with the message 'No more TCP/IP client connections are available'. Until the server is rebooted or reinitialized all client-to-site VPN will fail (thereby forcing users to revert to an unsecure form of data transmission, e.g. FTP or POP3, which both use clear text passwords). The server tested on was left for over 48 hours to allow connections to be freed up by the system, but the port remained closed. Various measure were taken to resolve the issue. The server was patched with NetWare 5.1 Support Pack 2a, BorderManager 3.5 Support Pack 2 and BorderManager 3.5 Proxy and ACL update. The latest TCPIP.NLM was in use and the server had TCP Defend SYN Attacks ON. Solution: Re-loading VPMASTER.NLM failed to resolve the problem. Re-loading AUTHGW.NLM show the report re-opened the port, but client connections still failed. The only corrective action that consistently resolved the problem was rebooting the server. The following did work but not consistently; (1) Unload VPMASTER.NLM (2) Unload AUTHGW.NLM (3) Reinitialize system (4) Load AUTHGW.NLM (5) Load VPMASTER.NLM DISCLAIMER: The contents of this advisory are copyright (c) Hacker Immunity Ltd, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOuCCVTLlt6EzGMC5EQJ5xgCg2+CC0tsqGRARdOb4QjYNwzvwg4sAnA9k nSE5CQn2nVEdCylXI3CyAKzV =CWxx -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Apr 21 2001 - 13:20:07 PDT