Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
(Vendor Disputes Claim) Re: ZoneAlarm Network Connectivity Can Be Blocked By Remote Users Sending Multiple UDP Packets
SecurityTracker Alert ID: 1007626|
SecurityTracker URL: http://securitytracker.com/id/1007626
(Links to External Site)
Date: Sep 4 2003
Denial of service via network|
Version(s): 3.7.202, 4.0|
A denial of service vulnerability was reported in ZoneAlarm. A remote user can send UDP packets to the target system to cause the system's network connectivity to become unavailable.|
It is reported that a remote user can send a series of UDP packets to multiple UDP ports on the target system to cause the target system to become unreachable. The system will reportedly be unreachable for the duration of the attack. The packet rate required to deny service was not reported.
A demonstration exploit script was provided in the Source Message [of the original report -- see the Message History].
The vendor has reportedly attempted to reproduce the claim without success. Zone Labs said that they tested the original author's Perl script on several hosts and at a variety of network speeds. The vendor observed a "somewhat higher" CPU utilization when the exploit script was running, but did not observe any denial of service conditions, even when tested via a 100 Mbps network.
A remote user can reportedly cause the target system to become unavailable. However, the vendor disputes this claim and has been unable to reproduce the described impact.|
The vendor states that the product is not vulnerable.|
Vendor URL: www.zonelabs.com/ (Links to External Site)
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: 3 Sep 2003 19:43:21 -0000|
Subject: Re: ZoneAlarm remote Denial Of Service exploit
ZONE LABS SECURITY ADVISORY
DENIAL OF SERVICE REPORT
Zone Labs has found no evidence that, under real-world conditions, its
products are vulnerable to the Denial of Service attack described by
HackologyTeam@yahoo.com at the BugTraq site and mailing list. There is
also no evidence that Zone Labs products are vulnerable to the similar
attack described by firstname.lastname@example.org in the follow-up post to BugTraq.
Date Published: September 3, 2003
EFFECT ON ZONE LABS USERS
Little or none.
ZONE LABS PRODUCTS
Zone Labs tests do not show that computers employing Zone Labs Integrity™,
ZoneAlarm® Pro, ZoneAlarm Plus, and ZoneAlarm security products are
vulnerable to this attack in real-world situations.
This Denial of Service (DoS) attempt sends a barrage of UDP packets to a
PC protected with ZoneAlarm 3.7 or ZoneAlarm Pro 4.0. The vulnerability
reporter claims that this packet flood causes the target PC to hang. Zone
Labs' testing did NOT show this under real-world conditions (described
below). In the vulnerability report, the attacker included the Perl script
to launch the attack. Other important information, such as type of PC and
connection speed, was not specified.
Because the initial report lacked important information, Zone Labs tested
the Perl script on multiple PCs with a variety of network speeds. We were
unable to replicate the results the testers claim. We noted the following
1) While we have seen a somewhat higher CPU usage and related slow-down on
the target machine, we have not seen anything resembling a DoS attack. The
largest slowdown occurred on a direct computer-to-computer 100-MBit
network. Even in that setup, we never observed a complete freeze under any
conditions. (Nor were other methods of UDP flooding effective.) For a
real-world DoS attack to succeed, it would need to be effective at much
slower connection speeds more typical for Internet connections (for
example, 1.5-MBit for a T1 or DSL connection).
2) Zone Labs Integrity, ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro were
not disabled as a result of the attacks, and the security of the test
machines was never compromised by the attempted DoS attack. Once the
attempted attacks stopped, the CPU usage went down to normal levels
Install any Zone Labs product to protect against UDP-flood attacks. Zone
Labs' tests did not show a Denial of Service result. We will be addressing
the relatively minor performance issues in upcoming releases. Note that in
the typical definition of a Denial of Service attack, the target is a
server PC (whose service is thus denied). ZoneAlarm, ZoneAlarm Plus, and
ZoneAlarm Pro are not designed to protect server platforms. The following
supported platform list applies to Zone Labs products:
BugTraq posting: http://www.securityfocus.com/archive/1/335830/2003-08-
This report first appeared on the BugTraq vulnerability list. Zone Labs
adheres to the vulnerability disclosure guidelines found at
http://www.wiretrip.net/rfp/policy.html. These guidelines specify
informing a vendor before public disclosure of a possible vulnerability,
so a security fix may be created to protect users before malicious
software takes advantage of the exploit. We encourage all vulnerability
reporters to follow the same procedure. To report a vulnerability, please
send an email to email@example.com.
Zone Labs customers who are concerned about this issue or have additional
technical questions may reach our Technical Support group at:
COPYRIGHT (c) 2003 by Zone Labs Incorporated
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Zone Labs. Reprinting the
whole or part of this alert in any medium other than electronically
requires permission from Zone Labs.
># Overview :
># ZoneAlarm is a firewall software
># package designed for Microsoft Windows
># operating systems that blocks intrusion
># attempts, trusted by millions, and has
># advanced privacy features like worms,
># Trojan horses, and spyware protection.
># ZoneAlarm is distributed and maintained
># by Zone Labs.http://www.zonelabs.com
># Details :
># ZoneAlarm was found vulnerable to a
># serious vulnerability leading to a
># remote Denial Of Service condition due
># to failure to handle udp random
># packets, if an attacker sends multiple
># udp packets to multiple ports 0-65000,
># the machine will hang up until the
># attacker stop flooding.
Go to the Top of This SecurityTracker Archive Page