Flood ACK packets cause an IBM SecureWay FireWall DoS

From: Mauro Flores (mafloresat_private)
Date: Wed Oct 09 2002 - 06:42:34 PDT

Next message: Pluto: "CfP: 19C3 Chaos Communication Congress 2002"

Previous message: overclocking_a_la_abuelaat_private: "CSS on Microsoft Content Management Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------------------------------------------------------------------------
Title: Flood ACK packets cause an IBM SecureWay FireWall DoS.

Released: 9th Oct 2002
---------------------------------------------------------------------------

Vulnerable:
===========
- SecureWay 4.2.x on AIX

Overview:
=========
	SecureWay is a robust FireWall product developed by IBM who works over AIX
an Windows plataform. Is not a full fledged stateful packet filter, but more
like a stateful-inspection with connection-centric deterministic-filtering firewall.

There exists an stack problem with malformed TCP packets that can lead 
SecureWay to a DoS condition. To reach this condition a big band width is require.

Details:
========
When an all zeroed flags TCP packets is sent to the SecureWay FireWall, this 
recognize the invalid packet only after a lot of procesing has been done. Because
of this, a flood of this forged packeges consumes a lot of resources and can lead
the IBM SecureWay FireWall to a deny of services condition.

To reach the DoS condition the flood must be over 2.8 Mbps, so this is more a
DDoS attack.

On servers running SecureWay, the standar AIX fix does not work.

Vendor Response:
================
IBM was contacted on July 14, 2002. The vendedor confirm the problem and release 
a fix.

Corrective Action:
==================
Update to SecureWay Firewall 4.2.2 version or install APAR IR49046. 
ftp://testcase.software.ibm.com/aix/fromibm/firewall/fwaixfilter4_421d*

Vulnerability Reporting Policy:
===============================
http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt


Author: Mauro Flores (mafloresat_private)
        Guillermo Freire (gfreireat_private)

---------------------------------------------------------------------------
ANTel is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall ANTel be
liable for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
---------------------------------------------------------------------------

Next message: Pluto: "CfP: 19C3 Chaos Communication Congress 2002"
Previous message: overclocking_a_la_abuelaat_private: "CSS on Microsoft Content Management Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 10:06:22 PDT