[NT] F-Secure Internet Gatekeeper Content Scanning Server DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 09/14/04

  • Next message: SecuriTeam: "[NT] Halo Off-By-One Bug Can Crash Multiplayer Server" 
    To: list@securiteam.com
Date: 14 Sep 2004 14:24:06 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      F-Secure Internet Gatekeeper Content Scanning Server DoS
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.f-secure.com/products/anti-virus/fsigk/> F-Secure Internet
    Gatekeeper is a high-performance and fully automated antivirus and content
    filtering solution for protecting corporate e-mail (SMTP) and web traffic
    (HTTP, FTP over HTTP) at the Internet gateway. In addition to virus
    protection, the solution provides spam filtering, content filtering and
    access control."

    Remote exploitation of an input validation error in F-Secure's Internet
    Gatekeeper could allow attackers to trigger a denial of service against
    the Content Scanner Server.

    DETAILS

    Vulnerable Systems:
     * F-Secure Internet Gatekeeper Server version 6.32 and earlier
     * F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, 6.01 and
    earlier

    Immune Systems:
     * F-Secure Internet Gatekeeper Server version 6.40
     * F-Secure Anti-Virus for Microsoft Exchange 6.30

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0830>
    CAN-2004-0830

    The problem can exhibit itself when handling malformed packets received by
    the Content Scanner on port 18,971. A denial of service condition is
    triggered during the parsing of the packet, causing the application to
    fail with an access violation error. The vulnerability does not appear to
    be further exploitable. The main reason behind the crash is a problematic
    handling of exceptions.

    Impact
    Successful exploitation allows remote attackers to crash the service. Once
    the server has crashed, depending on configuration options, a dialog box
    may appear on the desktop indicating that the FSAVSD.EXE process has
    crashed. Once this has been cleared, or if there is no dialog box, the
    server will automatically restart after approximately 30 to 40 seconds.
    During this time, the server will not respond to any requests made of it.
    It is possible to cause the server to fail repeatedly by sending packets
    at short intervals.

    Vendor Status:
    The vendor has been contacted and confirmed the existence of the problem
    in their servers. The new server and anti-virus releases are immune to the
    above mentioned issue and the vendor has supplied a hotfix. The hotfix is
    available from <http://www.f-secure.com/security/fsc-2004-2.shtml>
    http://www.f-secure.com/security/fsc-2004-2.shtml.

    In additional, for those users who don't wish to upgrade their versions, a
    simple workaround can be used. The product can be configured so that only
    allowed connections are accepted by the F-Secure Content Scanner Server.
    Configuring CSS to accept connections only from known IP addresses:
     * In F-Secure Policy Manager Console, go to F-Secure Content Scanner
    Server>Settings>Interface and in the "Accept Connections" setting specify
    the comma-separated list of IP addresses the server will accept requests
    from.
     * In the local user interface, a similar setting can be found on the
    Interface tab page under the Server/Interface category.

    Disclosure Timeline
    08/25/2004 Initial vendor notification
    08/25/2004 iDEFENSE clients notified
    08/25/2004 Initial vendor response
    09/09/2004 Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=137&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=137&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Halo Off-By-One Bug Can Crash Multiplayer Server"

    Relevant Pages