[NT] Symantec Multiple Firewall TCP Options Denial Of Service Condition

• Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities In phProfession Module For PostNuke"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 25 Apr 2004 19:16:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Symantec Multiple Firewall TCP Options Denial Of Service Condition
------------------------------------------------------------------------

SUMMARY

 
<http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=154> Symantec Client Security provides "integrated AntiVirus, firewall, and intrusion detection capabilities managed through a central console to provide better and proactive protection against today's evolving blended threats, such as Blaster. The solution provides critical end-point security to prevent intrusions from entering or spreading from connected and non-connected remote and mobile users, as well as from critical systems."

A denial-of-service condition was found in Symantec's Client Firewall
products. A remote attacker is able to render a system inoperable with a
single TCP packet.

DETAILS

Vulnerable Systems:
 * Symantec Norton Internet Security 2003
 * Symantec Norton Internet Security 2004
 * Symantec Norton Internet Security Professional 2003
 * Symantec Norton Internet Security Professional 2004
 * Symantec Norton Personal Firewall 2003
 * Symantec Norton Personal Firewall 2004
 * Symantec Client Firewall 5.01, 5.1.1
 * Symantec Client Security 1.0

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0375>
CAN-2004-0375

The vulnerable code lies in the SYMNDIS.SYS driver when parsing TCP
options of a received TCP packet. When an attacker supplies a single TCP
packet with a TCP option of either SACK (05) or Alternate Checksum Data
(0F) followed by a length of 00, the SYMNDIS.SYS driver enters an infinite
loop and causes the operating system to "freeze up" to the point where it
can no longer be accessed outside of the system itself nor can any part of
the GUI be accessed including keyboard and mouse.

The only way to make the system operable again is by performing a hard
boot that requires physical access. An attacker can invoke the DoS
condition by sending a single TCP packet to any port, open or closed. Not
only that, the condition is exploitable even if the Firewall/IDS is
disabled. Follows is an example of a TCP SYN packet which can cause the
DoS:

40 00 57 4B 00 00 01 01 05 00
|___| |___| |___| |_________|
  | | | |
  | | | TCP Options
  | | Urgent Pointer
  | Checksum
Window Size

The vulnerable code maintains an offset into the TCP option bytes, and
attempts to advance past a variable-length option by adding its length to
the offset. ?If the option's length field is zero, then this will result
in an infinite loop and the machine halts completely.

Vendor Status:
Symantec has released a patch for this vulnerability. The patch is
available via the Symantec LiveUpdate service.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dsoeder@eeye.com> Derek
Soeder - eEye Digital Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities In phProfession Module For PostNuke"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: SP2 Security Centre Loses Settings ... Thanks I have tried "Change the way the security centre ... do have Symantec Norton AV. ... >Center Notifies Me" link in the left pane. ... >torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ... (microsoft.public.windowsxp.security_admin) [security bulletin] SSRT4696 rev. 0 HP ProCurve Routing Switches TCP Denial of Service (DoS) ... SSRT4696 rev.0 HP ProCurve Routing Switches TCP ... The information in this Security bulletin should be acted upon ... (Bugtraq) Re: Fingerprinting Windows O/S based on ports open? ... finger printing by open default ports is not always ... OS fingerprinting is not as plain and claer cut as it was perhaps a few ... settings in tcp packets. ... >> Looking for a better way to manage your IP security? ... (Pen-Test) Re: SSL Overhead? ... encryption - this is useless if there is a backdoor wide open. ... mention the fact that SSL has security issues as well. ... SSL systems. ... Try using regular TCP to send the data. ... (microsoft.public.dotnet.framework.compactframework) Re: Fingerprinting Windows O/S based on ports open? ... Open ports on WinXP Default install: ... > TCP 135 ... Better Management for Network Security ... (Pen-Test)