SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   ZoneAlarm Vendors:   Zone Labs
ZoneAlarm Pro Can Be Hung By Remote Users Sending TCP SYN Packets
SecurityTracker Alert ID:  1005430
SecurityTracker URL:  http://securitytracker.com/id/1005430
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 16 2002
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0, 3.1 (including 3.1.291)
Description:   A denial of service vulnerability was reported in the ZoneAlarm Pro firewall software from ZoneLabs. A remote user can cause the target host to consume all available system resources.

NSSI Technologies Research Labs reported that a remote user can send multiple TCP SYN packets to the protected host to cause the ZoneAlarm Pro to consume all available CPU and memory resources. This will cause the host to stop responding.

According to the report, a minimum of 300 TCP SYN packets sent to ports 1 - 1024 will cause the host to stop responding for the duration of the attack. This occurs even if the firewall is configured to block all traffic.

[Editor's note: The report did not indicate at what rate the SYN packets must be sent.]

The vendor has reportedly confirmed the flaw.

Impact:   A remote user can cause the target host to stop responding.
Solution:   No solution was available at the time of this entry. According to the report, the vendor is working on a fix.
Vendor URL:  www.zonelabs.com/ (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Responds) Re: ZoneAlarm Pro Can Be Hung By Remote Users Sending TCP SYN Packets
The vendor has been unable to reproduce the claims.



 Source Message Contents

Subject:  NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service Vulnerability


NSSI Technologies Inc Research Labs Security Advisory 

http://www.nssolution.com (Philippines / .ph) 

"Maximum e-security" 

http://nssilabs.nssolution.com

ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability

Author: Abraham Lincoln Hao / SunNinja

e-Mail: abraham@nssolution.com / SunNinja@Scientist.com

Advisory Code: NSSI-2002-zonealarm3 

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional / WinNT 4.0 workstation 

Vendor Status:  Zone Labs is already contacted 1 month ago and they informed me that they going to release an update or new version
 to patched the problem. This vulnerability is confirmed by the vendor.

Vendors website: http://www.zonelabs.com

Severity: High

Overview:

     New ZoneAlarm. Pro delivers twice the securityZone Labs award-winning, personal firewall trusted by millions, plus advanced
 privacy features. the award-winning PC firewall that blocks intrusion attempts and protects against Internet-borne threats like worms,
 Trojan horses, and spyware.   

 ZoneAlarm Pro 3.1 and 3.0  doubles your protection with enhanced Ad Blocking and expanded Cookie Control to speed up your Internet
 experience and stop Web site spying. Get protected. Compatible with Microsoft. Windows. 98/Me/NT/2000 and XP.    

    ZoneAlarm Pro 3.1.291 and 3.0  contains vulnerability that would let the attacker consume all your CPU and Memory usage that would
 result to Denial of Service Attack through sending  multiple syn packets / synflooding.  

Details:

    Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let the attacker consume all your CPU and Memory usage
 that would result to Denial of Service Attack through Synflooding that would cause the machine to stop from responding. Zone-Labs
 ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable with IP Spoofing. This Vulnerabilities are confirmed from the vendor.

Test diagram:

   [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with ZoneAlarm] 

 1] Tested under default install of the 2 versions after sending minimum of 300 Syn Packets to port 1-1024 the machine will hang-up
 until the attack stopped.

2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting after sending a minimum of 300 Syn Packets to port
  1-1024 the machine will hang-up until the attack stopped. 

Workaround:

    Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install latest Security patch.

Note: To people who's having problem reproducing the vulnerability let me know :)

Any Questions? Suggestions? or Comments? let us know. 

e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com

 

greetings:
   nssilabs team, especially to b45h3r and rj45, Most skilled and pioneers of NSSI good luck!. (mike@nssolution.com / aaron@nssolution.com),
  Lawless the saint ;), dig0, p1x3l, dc and most of all to my Lorie.  
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC