[NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 09/14/04
- Previous message: SecuriTeam: "[UNIX] Postnuke Subjects Module SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Sep 2004 14:24:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
F-Secure Internet Gatekeeper Content Scanning Server DoS
------------------------------------------------------------------------
SUMMARY
" <http://www.f-secure.com/products/anti-virus/fsigk/> F-Secure Internet
Gatekeeper is a high-performance and fully automated antivirus and content
filtering solution for protecting corporate e-mail (SMTP) and web traffic
(HTTP, FTP over HTTP) at the Internet gateway. In addition to virus
protection, the solution provides spam filtering, content filtering and
access control."
Remote exploitation of an input validation error in F-Secure's Internet
Gatekeeper could allow attackers to trigger a denial of service against
the Content Scanner Server.
DETAILS
Vulnerable Systems:
* F-Secure Internet Gatekeeper Server version 6.32 and earlier
* F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, 6.01 and
earlier
Immune Systems:
* F-Secure Internet Gatekeeper Server version 6.40
* F-Secure Anti-Virus for Microsoft Exchange 6.30
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0830>
CAN-2004-0830
The problem can exhibit itself when handling malformed packets received by
the Content Scanner on port 18,971. A denial of service condition is
triggered during the parsing of the packet, causing the application to
fail with an access violation error. The vulnerability does not appear to
be further exploitable. The main reason behind the crash is a problematic
handling of exceptions.
Impact
Successful exploitation allows remote attackers to crash the service. Once
the server has crashed, depending on configuration options, a dialog box
may appear on the desktop indicating that the FSAVSD.EXE process has
crashed. Once this has been cleared, or if there is no dialog box, the
server will automatically restart after approximately 30 to 40 seconds.
During this time, the server will not respond to any requests made of it.
It is possible to cause the server to fail repeatedly by sending packets
at short intervals.
Vendor Status:
The vendor has been contacted and confirmed the existence of the problem
in their servers. The new server and anti-virus releases are immune to the
above mentioned issue and the vendor has supplied a hotfix. The hotfix is
available from <http://www.f-secure.com/security/fsc-2004-2.shtml>
http://www.f-secure.com/security/fsc-2004-2.shtml.
In additional, for those users who don't wish to upgrade their versions, a
simple workaround can be used. The product can be configured so that only
allowed connections are accepted by the F-Secure Content Scanner Server.
Configuring CSS to accept connections only from known IP addresses:
* In F-Secure Policy Manager Console, go to F-Secure Content Scanner
Server>Settings>Interface and in the "Accept Connections" setting specify
the comma-separated list of IP addresses the server will accept requests
from.
* In the local user interface, a similar setting can be found on the
Interface tab page under the Server/Interface category.
Disclosure Timeline
08/25/2004 Initial vendor notification
08/25/2004 iDEFENSE clients notified
08/25/2004 Initial vendor response
09/09/2004 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=137&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=137&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Postnuke Subjects Module SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
