Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   SecureWay Firewall Vendors:   IBM
IBM SecureWay Firewall Can Be Hung By Remote Users Sending a Flood of Malformed TCP Packets
SecurityTracker Alert ID:  1005330
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 2 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.2.x, prior to 4.2.2
Description:   A vulnerability was reported in IBM's SecureWay Firewall. A remote user can cause the firewall to hang.

SecuriTeam reported that a remote user can send a flood of malformed TCP packets with the TCP flags set to zero to cause the firewall to consume all available CPU resources. This can cause the firewall to stop responding to requests.

SecuriTeam credits Mauro Flores with reporting the flaw.

Impact:   A remote user can cause the firewall to hang.
Solution:   The vendor has released a fixed version (4.2.2) and has also released an APAR (IR49046) with 'fwaixfilter4_421d.tar'. More information is available at:

Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  UNIX (AIX)

Message History:   None.

 Source Message Contents

Subject:  [UNIX] Flood ACK Packets Cause an IBM SecureWay Firewall to Hang

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:
- - promotion

When was the last time you checked your server's security?
How about a monthly report? - Know that you're safe.
- - - - - - - - -

  Flood ACK Packets Cause an IBM SecureWay Firewall to Hang


SecureWay is a robust Firewall product developed by IBM that works under 
the AIX and Windows platform. It is not a full-fledged stateful packet 
filter, but more like a stateful-inspection with connection-centric 
deterministic-filtering firewall.

A security problem in the Firewall has been identified. Whenever a flood 
of malformed TCP packets reaches the SecureWay Firewall, it will be no 
longer able to respond to legitimate requests (due to high CPU resources 
consumption). Due to the nature of this attack, a large portion of 
bandwidth is required.


Vulnerable systems:
 * SecureWay 4.2.x on AIX

When an all zeroed flags TCP packet is sent to the SecureWay Firewall, the 
firewall will take a large amount of processing time for it to determine 
that the packet is in fact invalid. Because of this, a flood of such 
forged packets will consume a large amount resources leading to a denial 
of service attack.

Vendor Response:
IBM was contacted on July 14, 2002. The vendor confirmed the problem and 
released a fix.

Corrective Action:
Update to SecureWay Firewall 4.2.2 version or install APAR  
<> IR49046.


The information has been provided by  <> Mauro 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
In order to subscribe to the mailing list, simply forward this email to: 


The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC