Date: 25 Apr 2004 19:16:43 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] Symantec Multiple Firewall TCP Options Denial Of Service Condition
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Symantec Multiple Firewall TCP Options Denial Of Service Condition
------------------------------------------------------------------------
SUMMARY
<http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=154>; Symantec Client Security provides "integrated AntiVirus, firewall, and intrusion detection capabilities managed through a central console to provide better and proactive protection against today's evolving blended threats, such as Blaster. The solution provides critical end-point security to prevent intrusions from entering or spreading from connected and non-connected remote and mobile users, as well as from critical systems."
A denial-of-service condition was found in Symantec's Client Firewall
products. A remote attacker is able to render a system inoperable with a
single TCP packet.
DETAILS
Vulnerable Systems:
* Symantec Norton Internet Security 2003
* Symantec Norton Internet Security 2004
* Symantec Norton Internet Security Professional 2003
* Symantec Norton Internet Security Professional 2004
* Symantec Norton Personal Firewall 2003
* Symantec Norton Personal Firewall 2004
* Symantec Client Firewall 5.01, 5.1.1
* Symantec Client Security 1.0
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0375>;
CAN-2004-0375
The vulnerable code lies in the SYMNDIS.SYS driver when parsing TCP
options of a received TCP packet. When an attacker supplies a single TCP
packet with a TCP option of either SACK (05) or Alternate Checksum Data
(0F) followed by a length of 00, the SYMNDIS.SYS driver enters an infinite
loop and causes the operating system to "freeze up" to the point where it
can no longer be accessed outside of the system itself nor can any part of
the GUI be accessed including keyboard and mouse.
The only way to make the system operable again is by performing a hard
boot that requires physical access. An attacker can invoke the DoS
condition by sending a single TCP packet to any port, open or closed. Not
only that, the condition is exploitable even if the Firewall/IDS is
disabled. Follows is an example of a TCP SYN packet which can cause the
DoS:
40 00 57 4B 00 00 01 01 05 00
|___| |___| |___| |_________|
| | | |
| | | TCP Options
| | Urgent Pointer
| Checksum
Window Size
The vulnerable code maintains an offset into the TCP option bytes, and
attempts to advance past a variable-length option by adding its length to
the offset. ?If the option's length field is zero, then this will result
in an infinite loop and the machine halts completely.
Vendor Status:
Symantec has released a patch for this vulnerability. The patch is
available via the Symantec LiveUpdate service.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dsoeder@eeye.com.> Derek
Soeder - eEye Digital Security.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
