SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Symantec Enterprise Firewall (Raptor) Vendors:   Symantec
Symantec Enterprise Firewall (Raptor Firewall) Secure Web Proxy Lets Remote Users Cause Denial of Service Conditions
SecurityTracker Alert ID:  1005414
SecurityTracker URL:  http://securitytracker.com/id/1005414
CVE Reference:   CVE-2002-0990   (Links to External Site)
Updated:  Dec 15 2003
Original Entry Date:  Oct 15 2002
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.5, 6.5.2, 6.5.3, 7.0
Description:   A denial of service vulnerability was reported in a component of the Symantec Enterprise Firewall. A remote user can prevent users from accessing the secure web proxy.

A vulnerability was reported in a secure web server ("Simple, Secure Web Server 1.1") shipped with various Symantec firewall products. A remote user can connect to the proxyserver and issue an HTTP-style CONNECT to a domain with a missing or flawed DNS server. The web server will apparently wait for a timeout and will not process subsequent requests until the timeout occurs.

Impact:   A remote user can cause denial of service conditions on the web server proxy.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a patch.
Vendor URL:  enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=9674250&EID=0 (Links to External Site)
Cause:   Resource error, State error

Message History:   None.


 Source Message Contents

Subject:  Multiple Symantec Firewall Secure Webserver timeout DoS


Advanced IT-Security Advisory #01-10-2002

http://www.ai-sec.dk/

Issue:
======
Multiple Symantec Firewall Secure Webserver timeout DoS

Problemdescription:
===================
There exists a problem in "Simple, secure webserver 1.1" which is shipped with numerous Symantec firewalls, in which an attacker can
 connect to the proxyserver from the outside, and issue a HTTP-style 
CONNECT to a domain with a missing, or flawed DNS-server. The "Simple, secure webserver 1.1" appears to wait for a timeout contacting
 the DNS server, and while doing so the software does not fork and 
thereby queues or drops all requests coming from other clients. The timeout usually last up to 300 seconds. Sending subsequent requests
 for other hostnames in the same flawed domain will force the 
Simple, secure webserver 1.1 to stop processing requests for a long time.

The exploit works regardless if the domainname in question is allowed or not in the ACL.

Versions affected: 
==================
Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300

Workarounds:
============
Apply official patch from Symantec

Solutions:
==========
Apply official patch from Symantec, or disable Simple, secure webserver.

Patch:
======
http://www.symantec.com/techsupp

Vendorstatus:
=============
Symantec was contacted 22. August 2002. Symantec promptly tested and confirmed our findings, and immediately started working on a
 patch for their customerbase. 



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC