Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Firewall)  >   ZoneAlarm Vendors:   Zone Labs
(Vendor Believes This is a Configuration Error) Re: ZoneLabs ZoneAlarm Pro Desktop Firewall Software May Apply the Wrong Security Settings in Certain Cases
SecurityTracker Alert ID:  1002765
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 16 2001
Impact:   Host/resource access via network

Version(s): 2.6.357; prior versions may also be vulnerable
Description:   SecurityFocus reported a vulnerability in ZoneAlarm Pro. The firewall may apply the incorrect security settings in certain cases.

It is reported that, in certain cases, ZoneAlarm may apply the local Intranet security settings to connections with non-local addresses. If the first two octets of the IP address are identical to those of the local host running ZoneAlarm, the ZoneAlarm firewall will apply the security settings of the local zone.

The vendor has been investigating the report and, based on testing to date and on vendor discussions with the author of the original vulnerability report, believes that there is no vulnerability. The vendor believes that the user added the ISP's DHCP-provided subnet (with the mask when queried by ZoneAlarm. This is not an automatic action -- the user must accept the settings. The vendor notes that some ISPs (for example, AOL with version 7) may try to add the entire subnet to the Local Zone.

At the time of this entry, the vendor is still performing some tests to resolve the issue.

Impact:   A connection with a non-local host may be permitted when it is intended to be blocked.
Solution:   The vendor believes that there is no vulnerability and that the condition is due to a user-initiated configuration error.

[Editor's Note: When a ZoneAlarm-protected computer detects a DHCP assignment (from an ISP, for example), ZoneAlarm will ask the user if the DHCP-specified subnet should be added to the Local Zone. When connecting to the Internet, accepting this setting is dangerous.]

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 8 2001 ZoneLabs ZoneAlarm Pro Desktop Firewall Software May Apply the Wrong Security Settings in Certain Cases

 Source Message Contents

Date:  13 Nov 2001 00:36:58 -0000
Subject:  Re: ZoneAlarm Pro Local Internet not only Locally!

Mailer: SecurityFocus
In-Reply-To: <000001c16693$de35fbb0$5241bbd4@www>


As a technical support engineer for ZoneLabs I just 
wanted to let all of you know that this report is 
missing something important.

ZoneAlarm has two zones, the internet and the local 
zone.  Any networks which are checked in the local 
zone are considered trusted, and all network traffic 
from those addresses will be allowed through the 

As an end-user it is EXTREMELY important you only 
add addresses to your local zone that you trust.  This 
would be your LAN addresses and no others 

ZoneAlarm Pro asks you if you would like to trust the 
network you connect to whenever you get DHCP 
from a new DHCP server.  If you are connected to 
the internet answer NO to this question when it 
comes up.

If you follow these guidelines you will not be open as 
described below.

Best regards,
Zone Labs Support

>ZoneAlarm Pro is firewall for Windows home-users.
>The following was tested with ZoneAlarm Pro latest 
version: 2.6.357
>I`m not sure if it also works with the free version but 
I can't imagine
>why it wouldn't.
>Similair to Internet Explorer ZoneAlarm Pro (ZAP) 
has security settings
>for Local and Internet. 
>However ZAP in certain cases classifies 
connections as Local when they
>really aren't Local. All connections that have the 
same 2 octets as your
>IP (ex. Your ip -> 123.123.*.*) are 
also considered
>This means everyone on with the same two first 
octet's of your IP can
>connect to your computer under local level security 
settings instead of
>the internet level security settings.
>With default settings this will expose your computer 
and all it's ports
>plus opening and allow access to windows services 
and shares. Users to
>customize local level security to allow (and block) 
whatever they want.
>How did I discover this?
>I installed a webserver and asked some friends to 
view some pages but
>they weren't able to connect. Zone Alarm Pro 
blocked the http port I
>found out. But this surprised me since I viewed my 
http.acces and
>http.error logife before I enabeled port 80 in ZAP and 
already had a lot
>of requests from servers infected with nimba. After 
looking at the IP's
>the first two octets were all the same.. the same as 
>Philip Wagenaar
>The Netherlands


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC