Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Vendor Responds) Re: IP Filter Packet State Error May Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1005895 |
|
SecurityTracker URL: http://securitytracker.com/id/1005895
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 7 2003
|
Impact:
Denial of service via network
|
Vendor Confirmed: Yes
|
Version(s): 3.4.30, 3.4.29 (400)
|
Description:
A denial of service vulnerability was reported in the IP Filter firewall software. A remote user may be able to deny service to firewall users.
It is reported that a remote user can send a TCP packet with the ACK bit set and without a previous SYN packet. If the TCP packet contains a bad checksum value, IP Filter will reportedly add an "ESTABLISHED" session to the state table with a time-to-live value of 120 hours for this session. A remote user can exploit this to consume all available sessions and prevent the firewall from processing other new sessions.
A demonstration exploit transcript is provided in the Source Message.
|
Impact:
A remote user can cause the firewall's state table to fill up, preventing new connections.
|
Solution:
The vendor has responded to indicate that the described behavior only occurs when using "keep state" rules without "flags S", a practice that is discouraged.
The vendor adds that this is not a problem specific to IP Filter, but rather, is a general known limitation of using state tables with limited resources. However, the vendor notes that this will be "more properly addressed" in future versions of IP Filter.
|
Vendor URL: coombs.anu.edu.au/ipfilter/ip-filter.html (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 7 Jan 2003 09:58:18 +1100 (Australia/ACT)
Subject: Re: ipfilter denial of service problem
|
In some mail from Yiming Gong, sie said:
>
> Below is an ipfilter security issue, and my previous mail to author
> Darren was bounced back, so I think maybe I should mail it to this
> mailing list.
Actually, you consistently sent email to the wrong place, in the wrong
manner. There's an email address posted on IPFilter's web page, along
with in the distribution that you could of (and did not) send email to
about this.
> Overview
> --
> Anytime ipfilter see a packet with ACK bit set without the previous SYN,
> it will marked it as TCPS_ESTABLISHED in it's state table,
This only happens if you are using "keep state" rules without "flags S"
and that is something that I (and others) actively discourage people
from doing, in general unless they are doing it for a specific reason.
> and for
> ipfilter will soon notice the RESET packet send back by the system
> application, it will then change it's ttl in state table to 1 minute,OK,
> it's good.
>
> But If an attact send packet with ACK bit set and bad checksum, ipfilter
> will happily add an "ESTABLISHED" session into it's state table which
> will wait 120 hours to timeout instead of the normal 1 minutes!
>
> So using this way an evil guy can easily destroy the network
> connection of any system with ipfilter installed in a few minutes!
This is not an IPFilter problem, per se, but a known limitation of
using any limited resource to allocate state table sessions and is
not anything new to me (at least). In fact you don't even need to
use that particular packet sequence to do it. This is being more
properly addressed in upcoming versions of IPFilter.
Presently, in order to combat this, IPFilter will goto more effort
to free up state table entries if it detects the table is full.
Darren
|
|
Go to the Top of This SecurityTracker Archive Page
|
