Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   ZoneAlarm Vendors:   Zone Labs
(Vendor Responds) Re: ZoneAlarm Pro Can Be Hung By Remote Users Sending TCP SYN Packets
SecurityTracker Alert ID:  1005446
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 18 2002
Impact:   Denial of service via network

Version(s): 3.0, 3.1 (including 3.1.291)
Description:   A denial of service vulnerability was reported in the ZoneAlarm Pro firewall software from ZoneLabs. A remote user can cause the target host to consume all available system resources.

NSSI Technologies Research Labs reported that a remote user can send multiple TCP SYN packets to the protected host to cause the ZoneAlarm Pro to consume all available CPU and memory resources. This will cause the host to stop responding.

According to the report, a minimum of 300 TCP SYN packets sent to ports 1 - 1024 will cause the host to stop responding for the duration of the attack. This occurs even if the firewall is configured to block all traffic.

[Editor's note: The report did not indicate at what rate the SYN packets must be sent.]

The vendor has reportedly confirmed the flaw.

Impact:   A remote user can cause the target host to stop responding.
Solution:   The vendor reports having been unable to reproduce the claims, but is continuing to test possible scenarios.

The vendor states that the described behavior is not a security vulnerability and that the described attack scenario is unrealistic.

The vendor reports finding some slow-down on very fast networks and plans to address the issue in the next product release.

For other details of the vendor's response, see the Source Message.

Vendor URL: (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 16 2002 ZoneAlarm Pro Can Be Hung By Remote Users Sending TCP SYN Packets

 Source Message Contents

Subject:  Re: NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service

In-Reply-To: <>

We have been unable to reproduce NSSI&#8217;s findings using the information 
they supplied.  We communicated our inability to verify the test results 
to NSSI and continue to test possible scenarios.

Bottom line:  
1)	The alleged behavior does not represent a security vulnerability. 
NSSI only alleges that under very limited circumstances involving a very 
heavy SYN flood with spoofed packets, a PC protected by ZoneAlarm Pro 
might slow down.
2)	None of the alleged behavior would put user data at risk.
3)	None of the alleged behavior would cause the protected PC to crash.
4)	This attack scenario is unrealistic because according to NSSI, it 
requires that the attack comes from within a LAN behind a &#8220;10/100mbps 
switch&#8221;. According to NSSI&#8217;s report, once the attack stops, the PC 
functions normally once again. Under almost all circumstances, a common 
Internet connection (dial-up, cable or DSL connection) does not have 
enough bandwidth to trigger this inconvenience. We did find some slow-down 
on very fast networks and will address these issues in our next product 
5)	Our tests show that ZoneAlarm and ZoneAlarm Pro actually reduce 
the vulnerability to most DoS attacks significantly because our products 
prevent Windows from responding to this illegitimate traffic.
6)	Neither ZoneAlarm nor ZoneAlarm Pro are designed to protect server 
platforms.   The following supported platform list applies to both 
ZoneAlarm and ZoneAlarm Pro:
We appreciate NSSI&#8217;s efforts to track this issue and are looking forward 
to working with them as we have in the past.

Rgds, Te

Te Smith
Director, Corporate Communications
415-341-8233 (v)
415-341-8299 (f)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC