Date: Mon, 14 Oct 2002 12:06:48 -0700
From: AI-SEC Security Advisories <advisories@ai-sec.dk.>
To: [email protected]Subject: Multiple Symantec Firewall Secure Webserver timeout DoS
Advanced IT-Security Advisory #01-10-2002
http://www.ai-sec.dk/
Issue:
======
Multiple Symantec Firewall Secure Webserver timeout DoS
Problemdescription:
There exists a problem in "Simple, secure webserver 1.1" which is shipped with numerous Symantec firewalls, in which an attacker can connect to the proxyserver from the outside, and issue a HTTP-style
CONNECT to a domain with a missing, or flawed DNS-server. The "Simple, secure webserver 1.1" appears to wait for a timeout contacting the DNS server, and while doing so the software does not fork and
thereby queues or drops all requests coming from other clients. The timeout usually last up to 300 seconds. Sending subsequent requests for other hostnames in the same flawed domain will force the
Simple, secure webserver 1.1 to stop processing requests for a long time.
The exploit works regardless if the domainname in question is allowed or not in the ACL.
Versions affected:
Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300
Workarounds:
============
Apply official patch from Symantec
Solutions:
==========
Apply official patch from Symantec, or disable Simple, secure webserver.
Patch:
======
http://www.symantec.com/techsupp
Vendorstatus:
=============
Symantec was contacted 22. August 2002. Symantec promptly tested and confirmed our findings, and immediately started working on a patch for their customerbase.
