[NEWS] Multiple Symantec Firewall Secure Webserver Timeout DoS

From: support@securiteam.com
Date: 10/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 15 Oct 2002 03:43:39 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Symantec Firewall Secure Webserver Timeout DoS
------------------------------------------------------------------------

SUMMARY

There exists a problem in "Simple, secure webserver 1.1" that is shipped
with numerous Symantec firewalls, the vulnerabilities allows a remote
attacker to cause the webserver/proxy to stall new incoming requests,
effectively causing a denial of service attack against the product.

DETAILS

Versions affected:
 * Raptor Firewall 6.5 (Windows NT)
 * Raptor Firewall V6.5.3 (Solaris)
 * Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
 * Symantec Enterprise Firewall V7.0 (Solaris)
 * Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
 * VelociRaptor Model 500/700/1000
 * VelociRaptor Model 1100/1200/1300
 * Symantec Gateway Security 5110/5200/5300

An attacker can connect to the proxy server from the outside, and issue a
HTTP-style CONNECT to a domain with a missing, or flawed DNS-server. This
will cause the "Simple, secure webserver 1.1" to wait for a timeout while
it tries to contact the DNS server, and while doing so the software does
not fork and thereby queues or drops all new requests coming from other
clients. The timeout usually last up to 300 seconds. Sending subsequent
requests for other hostnames in the same flawed domain will force the
"Simple, secure webserver 1.1" to stop processing requests for a long
time.

The exploit works regardless if the domain name in question is allowed or
not in the ACL.

Workarounds:
Apply official patch from Symantec.

Solutions:
Apply official patch from Symantec, or disable Simple, secure webserver.

Patch:
Download the patch published at: <http://www.symantec.com/techsupp>
http://www.symantec.com/techsupp

Vendor status:
Symantec was contacted 22, August 2002. Symantec promptly tested and
confirmed AI-SEC Security findings, and immediately started working on a
patch for their customer base.

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@ai-sec.dk> AI-SEC
Security Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages