Date: 12 May 2004 18:03:37 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] Agnitum Outpost Firewall Pro DoS
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Agnitum Outpost Firewall Pro DoS
------------------------------------------------------------------------
SUMMARY
"With hacker attacks, data theft and privacy violations rampant on the
Internet you need a comprehensive solution to safeguard your PC. With
<http://www.agnitum.com/>; Outpost Firewall Pro, you get award-winning
firewall software that takes care of your online security needs."
By flooding Outpost Pro with a sustained rate of packets it is possible to
cause the firewall to consume more and more system resources that
eventually will cause an access violation and will crash the firewall.
DETAILS
Vulnerable Systems:
* Agnitum Outpost Pro firewall version 2.1
Outpost Pro maintains a list of all new incoming packets. When new packets
arrive it will add them to the list and keep them until they are
processed. Using a flood of packets that will utilize a lot of CPU time
(such as in the case of small packets) it is possible to cause Outpost to
fall behind in how fast it handles the packets. Theoretically this type of
behavior can be seen in any firewall.
However, the problem lies in the fact that Outpost Pro keeps allocating
more and more resources from the system in order to keep all received
packets. There is essentially no limit to the amount of resources it will
consume. Therefore, flooding the firewall with small TCP packets with the
URG, PSH, SYN, FIN Flags set and random Source IPs, at a rate larger than
90Kb/sec, will cause the firewall to stop processing packets in real-time
since it can't keep up with the incoming rate.
Vendor Status:
The vendor has been notified about two weeks ago and the fix is planned
for the next version.
Workaround
In order to avoid the DoS, the following temporary workaround is possible:
* Exit Outpost
* Edit outpost.ini file that is located in Outpost folder and set:
HideIcmpActivity=yes
HideIpActivity=yes
* Save it and start Outpost.
ADDITIONAL INFORMATION
The information has been provided by <mailto:apelkmann@freenet.de.> Armin
Pelkmann.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
