SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Intrusion Detection)  >   Attack Mitigator IPS Vendors:   Top Layer Networks
Top Layer Attack Mitigator IPS Error Condition Lets Remote Users Deny Service
SecurityTracker Alert ID:  1011068
SecurityTracker URL:  http://securitytracker.com/id/1011068
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 26 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Model 5500; Prior to 3.11.014; Tested on 3.11.008
Description:   A vulnerability was reported in Top Layer's Attack Mitigator IPS 5500. A remote user can cause the device to top processing network traffic.

Information Risk Management Plc. reported that a remote user can send more than 2000 concurrent HTTP requests to a network protected by the IPS 5500 to cause the target device to consume all available CPU resources. As a result, the system will no longer be able to process HTTP traffic.

The system is only vulnerable when configured so that packets traverse the device twice (where the protected segment is a stub segment), the report said.

The error condition occurs when the device incorrectly enters an overload protection mode.

The vendor was notified on July 23, 2004.

Impact:   A remote user can cause denial of service conditions on the target device.
Solution:   The vendor has issued a fixed version (3.11.014), available at:

http://www.toplayer.com/content/support/tech_assist/index.jsp

Vendor URL:  www.toplayer.com/content/products/intrusion_detection/attack_mitigator.jsp (Links to External Site)
Cause:   Resource error, State error

Message History:   None.


 Source Message Contents

Subject:  IRM 010: Top Layer Attack Mitigator IPS 5500 Denial of Service


----------------------------------------------------------------------------

IRM Security Advisory No. 010

Top Layer Attack Mitigator IPS 5500 Denial of Service

Vulnerability Type / Importance: DoS / High

Problem discovered: 	July 22nd 2004
Vendor contacted:    	July 23rd 2004
Advisory published:  	August 25th 2004

----------------------------------------------------------------------------


Abstract:

Top Layer's Attack Mitigator IPS 5500 is an ASIC-based Network Intrusion
Prevention System (NIPS), with blocking and control  capabilities against
certain types of cyber attacks. The product's datasheet states that 'Top
Layer's second-generation ASIC  technology and patented algorithms integrate
proven stateful analysis techniques with its new 'TopInspect' deep packet
inspection technology and industry-leading DoS attack protection to provide
comprehensive protection from Internet-based and  internal threats'. 

During a recent security consultancy engagement, IRM discovered that under
certain specific circumstances the Top Layer IPS  5500 series CPU usage
could reach 100% utilisation, where it would not be able to process further
network traffic, and any  site protected by the device would become
inaccessible.  


Description:

The system under test comprised a web server farm accessible via a load
balancer and protected by an IPS 5500 device. IRM  discovered that upon
simulating more than 2000 concurrent HTTP requests to the server farm, the
IPS 5500 device reached a  state where it was utilising all its CPU power
and therefore was unable to process standard HTTP traffic.  


Tested Versions:

Top Layer Attack Mitigator IPS 5500 running software version 3.11.008


Vendor Response:

Top Layer was notified of this issue on July 22, 2004 by IRM.   

A bug exists in Attack Mitigator IPS 5500 software versions earlier than
V3.11.014 that could cause the IPS 5500 device to  incorrectly enter an
overload protection mode and negatively impact network traffic.  In extreme
cases, this can cause a  denial of service condition.

The effect of this bug appears only when the IPS 5500 unit is configured in
a topology where a 
high-volume of network packets traverse the IPS unit twice due to a
"one-armed" routing configuration.

The presence of this error condition will exhibit the following when viewing
the IPS5500 Immediate 
Security Report: Current System Processor Utilization = 100% and the value
for System CPU Overload 
Protection is non-zero.

 
Vendor & Patch Information:

Top Layer were contacted during the testing and immediately started
investigating the issue. Top Layer then updated the IPS  code (to version
3.11.014) which resolved the issue during the timescales of the security
engagement. 

The latest IPS 5500 software is available from Top Layer at:
http://www.toplayer.com/content/support/tech_assist/index.jsp


Workarounds:

Top Layer explained that a workaround would be to avoid deploying an IPS
5500 in "one-armed" router configurations.


Credits:

Research & Advisory: Mazin Faour, Louis Garman.   


Disclaimer:

All information in this advisory is provided on an 'as is' 
basis in the hope that it will be useful. Information Risk Management 
Plc is not responsible for any risks or occurrences caused 
by the application of this information.


----------------------------------------------------------------------------

Information Risk Management Plc.
22 Buckingham Gate 
London 
SW1E 6LB
+44 (0)207 808 6420

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC