[UNIX] Flood ACK Packets Cause an IBM SecureWay Firewall to Hang

From: support@securiteam.com
Date: 10/01/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue,  1 Oct 2002 21:30:14 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Flood ACK Packets Cause an IBM SecureWay Firewall to Hang
------------------------------------------------------------------------

SUMMARY

SecureWay is a robust Firewall product developed by IBM that works under
the AIX and Windows platform. It is not a full-fledged stateful packet
filter, but more like a stateful-inspection with connection-centric
deterministic-filtering firewall.

A security problem in the Firewall has been identified. Whenever a flood
of malformed TCP packets reaches the SecureWay Firewall, it will be no
longer able to respond to legitimate requests (due to high CPU resources
consumption). Due to the nature of this attack, a large portion of
bandwidth is required.

DETAILS

Vulnerable systems:
 * SecureWay 4.2.x on AIX

When an all zeroed flags TCP packet is sent to the SecureWay Firewall, the
firewall will take a large amount of processing time for it to determine
that the packet is in fact invalid. Because of this, a flood of such
forged packets will consume a large amount resources leading to a denial
of service attack.

Vendor Response:
IBM was contacted on July 14, 2002. The vendor confirmed the problem and
released a fix.

Corrective Action:
Update to SecureWay Firewall 4.2.2 version or install APAR
<http://www-1.ibm.com/support/docview.wss?rs=0&q=IR49046&uid=swg185256b4f006cca2486256c31007feaca> IR49046.

ADDITIONAL INFORMATION

The information has been provided by <mailto:maflores@antel.com.uy> Mauro
Flores.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Where to put my multiple servers?????
    ... Please explain to me how a firewall protects against outbound traffic ... looks at the packet header. ... This article at eEye introduces added security measures of an application ...
    (microsoft.public.windows.server.networking)
  • Re: Best security topology for FreeBSD
    ... stack that just looks at the length header of the packet when getting the ... >SECURITY MODEL IS BLOWN OUT OF THE WATER! ... In a two firewall design, ... only requiring less ...
    (FreeBSD-Security)
  • Re: [fw-wiz] Firewall Primitives
    ... most organizations should not care about packet filtering ... A firewall is present at any boundary between networks with different ... packet filtering firewall. ... A firewall is that part of a security architecture that tries to enforce ...
    (Firewall-Wizards)
  • Core FORCE and OpenBSD PFs
    ... something about the firewall technology of the endpoint security package ... Core FORCE uses a Windows port of OpenBSD's PF ... kernel driver with trimmed functionality (removed NAT, RDR, packet ...
    (Bugtraq)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)