SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Firewall)  >   ZoneAlarm Vendors:   Zone Labs
(Vendor Disputes Claim) Re: ZoneAlarm Network Connectivity Can Be Blocked By Remote Users Sending Multiple UDP Packets
SecurityTracker Alert ID:  1007626
SecurityTracker URL:  http://securitytracker.com/id/1007626
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 4 2003
Impact:   Denial of service via network

Version(s): 3.7.202, 4.0
Description:   A denial of service vulnerability was reported in ZoneAlarm. A remote user can send UDP packets to the target system to cause the system's network connectivity to become unavailable.

It is reported that a remote user can send a series of UDP packets to multiple UDP ports on the target system to cause the target system to become unreachable. The system will reportedly be unreachable for the duration of the attack. The packet rate required to deny service was not reported.

A demonstration exploit script was provided in the Source Message [of the original report -- see the Message History].

The vendor has reportedly attempted to reproduce the claim without success. Zone Labs said that they tested the original author's Perl script on several hosts and at a variety of network speeds. The vendor observed a "somewhat higher" CPU utilization when the exploit script was running, but did not observe any denial of service conditions, even when tested via a 100 Mbps network.
Impact:   A remote user can reportedly cause the target system to become unavailable. However, the vendor disputes this claim and has been unable to reproduce the described impact.
Solution:   The vendor states that the product is not vulnerable.
Vendor URL:  www.zonelabs.com/ (Links to External Site)
Cause:   Not specified
Underlying OS:   Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 2 2003 ZoneAlarm Network Connectivity Can Be Blocked By Remote Users Sending Multiple UDP Packets


 Source Message Contents
Date:  3 Sep 2003 19:43:21 -0000
Subject:  Re: ZoneAlarm remote Denial Of Service exploit


In-Reply-To: <20030902145734.2258.qmail@sf-www3-symnsj.securityfocus.com>

ZONE LABS SECURITY ADVISORY
DENIAL OF SERVICE REPORT

OVERVIEW
Zone Labs has found no evidence that, under real-world conditions, its 
products are vulnerable to the Denial of Service attack described by 
HackologyTeam@yahoo.com at the BugTraq site and mailing list. There is 
also no evidence that Zone Labs products are vulnerable to the similar 
attack described by sprog@online.ru in the follow-up post to BugTraq. 

Date Published: September 3, 2003

EFFECT ON ZONE LABS USERS
Little or none. 

ZONE LABS PRODUCTS
Zone Labs tests do not show that computers employing Zone Labs Integrity™, 
ZoneAlarm® Pro, ZoneAlarm Plus, and ZoneAlarm security products are 
vulnerable to this attack in real-world situations.

DESCRIPTION
This Denial of Service (DoS) attempt sends a barrage of UDP packets to a 
PC protected with ZoneAlarm 3.7 or ZoneAlarm Pro 4.0. The vulnerability 
reporter claims that this packet flood causes the target PC to hang. Zone 
Labs' testing did NOT show this under real-world conditions (described 
below). In the vulnerability report, the attacker included the Perl script 
to launch the attack. Other important information, such as type of PC and 
connection speed, was not specified.

IMPACT
Because the initial report lacked important information, Zone Labs tested 
the Perl script on multiple PCs with a variety of network speeds. We were 
unable to replicate the results the testers claim. We noted the following 
results: 

1) While we have seen a somewhat higher CPU usage and related slow-down on 
the target machine, we have not seen anything resembling a DoS attack. The 
largest slowdown occurred on a direct computer-to-computer 100-MBit 
network. Even in that setup, we never observed a complete freeze under any 
conditions. (Nor were other methods of UDP flooding effective.) For a  
real-world DoS attack to succeed, it would need to be effective at much 
slower connection speeds more typical for Internet connections (for 
example, 1.5-MBit for a T1 or DSL connection).

2) Zone Labs Integrity, ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro were 
not disabled as a result of the attacks, and the security of the test 
machines was never compromised by the attempted DoS attack. Once the 
attempted attacks stopped, the CPU usage went down to normal levels 
immediately. 

RECOMMENDED ACTIONS
Install any Zone Labs product to protect against UDP-flood attacks. Zone 
Labs' tests did not show a Denial of Service result. We will be addressing 
the relatively minor performance issues in upcoming releases. Note that in 
the typical definition of a Denial of Service attack, the target is a 
server PC (whose service is thus denied). ZoneAlarm, ZoneAlarm Plus, and 
ZoneAlarm Pro are not designed to protect server platforms. The following 
supported platform list applies to Zone Labs products: 
http://www.zonelabs.com/store/content/support/znalmGeneralFAQ.jsp#9general

RELATED RESOURCES
BugTraq posting: http://www.securityfocus.com/archive/1/335830/2003-08-
30/2003-09-05/0

CREDITS
This report first appeared on the BugTraq vulnerability list. Zone Labs 
adheres to the vulnerability disclosure guidelines found at 
http://www.wiretrip.net/rfp/policy.html. These guidelines specify 
informing a vendor before public disclosure of a possible vulnerability, 
so a security fix may be created to protect users before malicious 
software takes advantage of the exploit. We encourage all vulnerability 
reporters to follow the same procedure. To report a vulnerability, please 
send an email to security@zonelabs.com.

CONTACT
Zone Labs customers who are concerned about this issue or have additional 
technical questions may reach our Technical Support group at: 
http://www.zonelabs.com/store/content/support/support.jsp. 

COPYRIGHT (c) 2003 by Zone Labs Incorporated
Permission to redistribute this alert electronically is granted as long as 
it is not edited in any way unless authorized by Zone Labs. Reprinting the 
whole or part of this alert in any medium other than electronically 
requires permission from Zone Labs.


>
>
>
># Overview : 
>#
># ZoneAlarm is a firewall software
># package designed for Microsoft Windows 
># operating systems that blocks intrusion 
># attempts, trusted by millions, and has 
># advanced privacy features like worms, 
># Trojan horses, and spyware protection. 
># ZoneAlarm is distributed and maintained 
># by Zone Labs.http://www.zonelabs.com
>#
># Details :
>#
># ZoneAlarm was found vulnerable to a
># serious vulnerability leading to a
># remote Denial Of Service condition due 
># to failure to handle udp random 
># packets, if an attacker sends multiple 
># udp packets to multiple ports 0-65000, 
># the machine will hang up until the
># attacker stop flooding.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC