Astaro Security Gateway Lets Remote Users Deny Service and Potentially Bypass Security Scanning
SecurityTracker Alert ID: 1018543|
SecurityTracker URL: http://securitytracker.com/id/1018543
(Links to External Site)
Date: Aug 9 2007
Denial of service via network, Host/resource access via network|
Exploit Included: Yes |
A vulnerability was reported in Astaro Security Gateway. A remote user can cause denial of service conditions. A remote user may be able to bypass security scanning in certain cases.|
A remote user can cause excessive CPU consumption on the target device.
A remote user can send a specially crafted attachment that is larger than the attachment size limit, the POP3 proxy may allow the attachment to pass without being scanned.
William Warren reported this vulnerability.
The original advisory is available at:
A remote user can cause denial of service conditions.|
A remote user may be able to bypass security scanning.
No solution was available at the time of this entry.|
Vendor URL: www.astaro.com/ (Links to External Site)
Access control error, Exception handling error|
Source Message Contents
Subject: DOS issue in Astaro Version 7 packet filter reporting, POSSIBLE|
I have details about the DOS issue on my blog with links to the Astaro
ALL Version 7 systems.
This is easily reproducible. Just setup a BT client behind the astaro
and do not setup a packetfilter and NAT rule for the BT traffic. This
way all the incoming return traffic is blocked. Go download something
like the Centos DVD torrent. Some machine(like mine) are easy to bring
down. Others take a time longer. The pfilter-repoter.pl file will peg
the cpu for an exorbitant amount of time. Before 7.006 it would take
the machine offline. 7.006 partially mitigates in my testing but not fully.
For the pop3 Proxy if you set an attachment size limit, any attachments
over that size are NOT scanned and allowed to pass through instead of
These are not critical events but are issues nonetheless.
My "Foundation" verse:
Isa 54:17 No weapon that is formed against thee shall prosper; and
every tongue that shall rise against thee in judgment thou shalt
condemn. This is the heritage of the servants of the LORD, and their
righteousness is of me, saith the LORD.
-- carpe ductum -- "Grab the tape"
CDTT (Certified Duct Tape Technician)
Linux user #322099