Multiple Symantec Firewall Secure Webserver timeout DoS

From: AI-SEC Security Advisories (advisories@ai-sec.dk)
Date: Mon Oct 14 2002 - 12:06:48 PDT

  • Next message: AI-SEC Security Advisories: "Symantec Enterprise Firewall Secure Webserver info leak"

    Advanced IT-Security Advisory #01-10-2002
    
    http://www.ai-sec.dk/
    
    Issue:
    ======
    Multiple Symantec Firewall Secure Webserver timeout DoS
    
    Problemdescription:
    ===================
    There exists a problem in "Simple, secure webserver 1.1" which is shipped with numerous Symantec firewalls, in which an attacker can connect to the proxyserver from the outside, and issue a HTTP-style 
    CONNECT to a domain with a missing, or flawed DNS-server. The "Simple, secure webserver 1.1" appears to wait for a timeout contacting the DNS server, and while doing so the software does not fork and 
    thereby queues or drops all requests coming from other clients. The timeout usually last up to 300 seconds. Sending subsequent requests for other hostnames in the same flawed domain will force the 
    Simple, secure webserver 1.1 to stop processing requests for a long time.
    
    The exploit works regardless if the domainname in question is allowed or not in the ACL.
    
    Versions affected: 
    ==================
    Raptor Firewall 6.5 (Windows NT)
    Raptor Firewall V6.5.3 (Solaris)
    Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
    Symantec Enterprise Firewall V7.0 (Solaris)
    Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
    VelociRaptor Model 500/700/1000
    VelociRaptor Model 1100/1200/1300
    Symantec Gateway Security 5110/5200/5300
    
    Workarounds:
    ============
    Apply official patch from Symantec
    
    Solutions:
    ==========
    Apply official patch from Symantec, or disable Simple, secure webserver.
    
    Patch:
    ======
    http://www.symantec.com/techsupp
    
    Vendorstatus:
    =============
    Symantec was contacted 22. August 2002. Symantec promptly tested and confirmed our findings, and immediately started working on a patch for their customerbase. 
    



    This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 18:09:10 PDT