SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Sygate Personal Firewall Vendors:   Sygate
Sygate Personal Firewall Fails to Block or Log Packets With a Certain Spoofed Source Address
SecurityTracker Alert ID:  1005227
SecurityTracker URL:  http://securitytracker.com/id/1005227
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 16 2002
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0
Description:   A vulnerability was reported in the Sygate Personal Firewall. A remote user could attack the firewall without the attack being logged by the firewall.

NSSI-Research Labs issued an advisory warning that the firewall fails to properly process inbound packets with a source address of the loopback interface (127.0.0.1) or any source address from 127.0.0.1 - 127.0.0.255. It is reported that connections from these addresses are not blocked by the firewall or logged by the firewall in the default configuration.

The vendor has reportedly been notified.

Impact:   A remote user can send packets to the system with a spoofed source address. The packets are not blocked and are not logged in the default configuration.
Solution:   No solution was available at the time of this entry. The vendor is reportedly planning to issue a fix.

The author of the message has provided the following workaround:

Block source address 127.0.0.1 or the 127.0.0.0 network address manually in the Advance rules section.

Vendor URL:  soho.sygate.com/products/pspf_ov.htm (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] NSSI-2002-sygatepfw5: Sygate Personal Firewall IP Spoofing


NSSI-Research Labs Security Advisory

http://www.nssolution.com (Philippines / .ph)
"Maximum e-security"

http://nssilabs.nssolution.com

Sygate Personal Firewall 5.0 IP Spoofing Vulnerability

Author: Abraham Lincoln Hao / SunNinja

e-Mail: abraham@nssolution.com / SunNinja@Scientist.com

Advisory Code: NSSI-2002-sygatepfw5

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional

Vendor Status:  Vendor already accepted the vulnerability and they will be releasing new version to Patch the vulnerability

Vendors website: http://www.sygate.Com
Severity: High

Overview:
     Sygate Personal Firewall 5.0 is a host-based Firewall designed to protect your PC against attacks from both the Internet, and
 other computers in the local network.

    Sygate Personal Firewall 5.0 for windows platform contains IP Spoofing vulnerability.  These vulnerability could allow an attacker
 with a source IP of 127.0.0.1 to Attack the host protected by Sygate Personal firewall without being detected. Sygate Personal firewall
 is having problem detecting incoming traffic with source ip 127.0.0.1 (loopback address) 
Details:

Test diagram:
   [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with SPF] 
 1]  IP Spoofing Vulnerability Default Installation

    - SPF is vulnerable with IP Spoofing attack by Scanning the host with a source ip address 127.0.0.1 or network address 127.0.0.0.
 The Attacker could scan or attack the target host without being detected by the personal firewall. This vulnerability is very serious
 w/c an attacker could start a Denial of Service attack against the spf protected host and launch any form of attack.
    - To those who wants to try to simulate the vulnerability, you may use source address 127.0.0.1 - 127.0.0.255 ;)

Workaround:

1] Set the SPF to BLOCK ALL mode setting which i don't think the user would do ;) This type of setting would block everything all
 incoming request and outgoing.

2] Block source address 127.0.0.1 or 127.0.0.0 network address manually in  Advance rules section. 

Any Questions? Suggestions? or Comments? let us know. (Free your mind)

e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com

greetings:
   nssilabs team bring the heat! ;) Lawless the saint ;), dig0, b45h3r, jethro,   mr. d.f.a, p1x3lb0y, rj45-gu1t4rgawd and to our
 webmaster raymund (R2/D2)



-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC