Symantec Enterprise Firewall Buffer Overflow in RealAudio Proxy Allows Remote Users to Deny Service and Possibly Execute Arbitrary Code on the Firewall
SecurityTracker Alert ID: 1005814|
SecurityTracker URL: http://securitytracker.com/id/1005814
(Links to External Site)
Date: Dec 16 2002
Denial of service via network, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Raptor Firewall 6.5 (Windows NT), Raptor Firewall 6.5.3 (Solaris), Symantec Enterprise Firewall 6.5.2 (Windows NT and 2000), Symantec Enterprise Firewall 7.0 (Solaris), Symantec Enterprise Firewall 7.0 (Windows NT and 2000)|
A buffer overflow vulnerability was reported in the Symantec Enterprise Firewall in RealAudio proxy and the statistics function. A remote user can cause the proxy to crash and restart. A remote user may be able to execute arbitrary code [but that has not been confirmed].|
It is reported that Qualys discovered a flaw in the Symantec Enterprise Firewall. During a vulnerability scan, the rad (RealAudio) and statsd (statistics) services reportedly terminated due to a buffer overflow. A remote user can send malformed packets to the RealAudio Proxy to cause the proxy to restart.
SecurityFocus [owned by Symantec] reports that, although it is unconfirmed, it may be possible for a remote user to execute arbitrary code on the proxy.
A remote user can cause the proxy to restart. This could be repeated to cause a denial of service situation. A remote user may also be able to execute arbitrary code on the proxy [however, that has not been confirmed].|
The vendor has released a security hotfix, available at:|
Vendor URL: securityresponse.symantec.com/avcenter/security/Content/2002.12.12.html (Links to External Site)
|Underlying OS: UNIX (Solaris - SunOS), Windows (NT), Windows (2000)|
Source Message Contents
Subject: Symantec Enterprise Firewall: Unexpected RealAudio Service Termination|
December 12, 2002
Symantec Enterprise Firewall: Unexpected RealAudio Service Termination
Qualys, a leader in Managed Vulnerability Assessment, notified Symantec Corporation of a
problem discovered when scanning the Symantec Enterprise Firewall with their web-based
vulnerability assessment tool.
While scanning the firewall with the Qualys tool, both the rad (RealAudio) and statsd
(statistics) services unexpectedly terminated. This action produced Dr. Watson logs. Data
sent by the scan caused the RealAudio service to write past the end of a buffer,
corrupting memory. The statistics service, statsd, violated access as a result of this
action. All other services continued running.
Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300
If you are using any of the products listed above, Symantec recommends that you install
the latest security hotfix, which is available through the Symantec Enterprise Support Web
The RealAudio Proxy is written to process data in a buffer, assuming that the data follows
the expected RealAudio protocol. The problem manifests itself when packets are sent to the
RealAudio Proxy; these packets contain data that does not follow the RealAudio Protocol
and depend on the type of sent data. In the event that this problem occurs, it would cause
the firewall to restart the RealAudio Proxy. The hotfix resolves this problem by ignoring
this erroneous type of data, which makes the process not require to be restarted by the
Symantec appreciates the support of Qualys Security Research Team in identifying the areas
of concern to Symantec. If you have information on security issues regarding Symantec
products, please contact firstname.lastname@example.org.
Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not
edited in any way unless authorized by Symantec Security Response. Reprinting the whole or
part of this alert in any medium other than electronically requires permission from
The information in the advisory is believed to be accurate at the time of publishing based
on currently available information. Use of the information constitutes acceptance for use
in an AS IS condition. There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered
trademarks of Symantec Corp. and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks represented in this document
are the sole property of their respective companies/owners.
Last modified on: Friday, 13-Dec-02 14:04:04