Symantec Enterprise Firewall (Raptor Firewall) Secure Web Proxy Lets Remote Users Cause Denial of Service Conditions
SecurityTracker Alert ID: 1005414|
SecurityTracker URL: http://securitytracker.com/id/1005414
(Links to External Site)
Updated: Dec 15 2003|
Original Entry Date: Oct 15 2002
Denial of service via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 6.5, 6.5.2, 6.5.3, 7.0|
A denial of service vulnerability was reported in a component of the Symantec Enterprise Firewall. A remote user can prevent users from accessing the secure web proxy.|
A vulnerability was reported in a secure web server ("Simple, Secure Web Server 1.1") shipped with various Symantec firewall products. A remote user can connect to the proxyserver and issue an HTTP-style CONNECT to a domain with a missing or flawed DNS server. The web server will apparently wait for a timeout and will not process subsequent requests until the timeout occurs.
A remote user can cause denial of service conditions on the web server proxy.|
No solution was available at the time of this entry. The vendor is reportedly working on a patch.|
Vendor URL: enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=9674250&EID=0 (Links to External Site)
Resource error, State error|
Source Message Contents
Subject: Multiple Symantec Firewall Secure Webserver timeout DoS|
Advanced IT-Security Advisory #01-10-2002
Multiple Symantec Firewall Secure Webserver timeout DoS
There exists a problem in "Simple, secure webserver 1.1" which is shipped with numerous Symantec firewalls, in which an attacker can
connect to the proxyserver from the outside, and issue a HTTP-style
CONNECT to a domain with a missing, or flawed DNS-server. The "Simple, secure webserver 1.1" appears to wait for a timeout contacting
the DNS server, and while doing so the software does not fork and
thereby queues or drops all requests coming from other clients. The timeout usually last up to 300 seconds. Sending subsequent requests
for other hostnames in the same flawed domain will force the
Simple, secure webserver 1.1 to stop processing requests for a long time.
The exploit works regardless if the domainname in question is allowed or not in the ACL.
Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300
Apply official patch from Symantec
Apply official patch from Symantec, or disable Simple, secure webserver.
Symantec was contacted 22. August 2002. Symantec promptly tested and confirmed our findings, and immediately started working on a
patch for their customerbase.