Date: 11 Nov 2004 18:34:51 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] Kerio Personal Firewall Multiple IP Options DoS
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Kerio Personal Firewall Multiple IP Options DoS
------------------------------------------------------------------------
SUMMARY
" <http://www.kerio.com/kpf_home.html>; Kerio Personal Firewall (KPF) helps
users control how their computers exchange data with other computers on
the Internet or local network."
A machine running Kerio Personal Firewall can be rendered inoperable and
frozen due to a single packet from a malicious party. Physical access is
then required in order to secure control of the machine again.
DETAILS
Vulnerable Systems:
* Kerio Personal Firewall version 4.1.1 and prior
Immune Systems:
* Kerio Personal Firewall version 4.1.2
The DoS flaw exists within the low-level component that handles TCP, UDP
and ICMP packets. The vulnerability exists in FWDRV.SYS when trying to
parse through the IP Options in a TCP, UDP, or ICMP packet. When an
attacker supplies a single TCP, UDP, or ICMP packet with an IP Option
followed by a length of 0x00, the FWDRV.SYS driver enters an infinite loop
and causes the operating system to "freeze up" to the point where it can
no longer be accessed outside of the system itself nor can any part of the
GUI be accessed including keyboard and mouse.
Note: The only way to bring the system back online is to hard boot the
system which requires physical access.
The attacker only needs to send a single packet to any port on the system
regardless of whether or not the port is open. This flaw is still
accessible even if the firewall is set to "stop all traffic" because it
still continues to process packets.
The vulnerable code maintains an offset into the IP option bytes, and
attempts to advance past a variable-length option by adding its length to
the offset. If the option's length field is zero, then this will result in
an infinite loop and the machine halts completely. It should be noted that
since there is not a state requirement for performing this attack, it is
possible to spoof a TCP, UDP, or ICMP packet. This results in an
attacker's ability to remain anonymous.
Vendor Status:
Kerio have fixed the vulnerability and have provided an updated version
(4.1.2) available from their site at
<http://www.kerio.com/kpf_download.html>;
http://www.kerio.com/kpf_download.html
Disclosure Timeline:
30-10-2004 Vulnerability reported
09-11-2004 Release date
ADDITIONAL INFORMATION
The information has been provided by <mailto:mmaiffret@eeye.com.> Marc
Maiffret of eEye Digital Security.
The original article can be found at:
<http://www.kerio.com/security_advisory.html>;
http://www.kerio.com/security_advisory.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
