[NT] Kerio Personal Firewall Multiple IP Options DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 11/11/04

  • Next message: SecuriTeam: "[NEWS] Cisco IOS DHCP Blocked Interface DoS" 
    To: list@securiteam.com
Date: 11 Nov 2004 18:34:51 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Kerio Personal Firewall Multiple IP Options DoS
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.kerio.com/kpf_home.html> Kerio Personal Firewall (KPF) helps
    users control how their computers exchange data with other computers on
    the Internet or local network."

    A machine running Kerio Personal Firewall can be rendered inoperable and
    frozen due to a single packet from a malicious party. Physical access is
    then required in order to secure control of the machine again.

    DETAILS

    Vulnerable Systems:
     * Kerio Personal Firewall version 4.1.1 and prior

    Immune Systems:
     * Kerio Personal Firewall version 4.1.2

    The DoS flaw exists within the low-level component that handles TCP, UDP
    and ICMP packets. The vulnerability exists in FWDRV.SYS when trying to
    parse through the IP Options in a TCP, UDP, or ICMP packet. When an
    attacker supplies a single TCP, UDP, or ICMP packet with an IP Option
    followed by a length of 0x00, the FWDRV.SYS driver enters an infinite loop
    and causes the operating system to "freeze up" to the point where it can
    no longer be accessed outside of the system itself nor can any part of the
    GUI be accessed including keyboard and mouse.

    Note: The only way to bring the system back online is to hard boot the
    system which requires physical access.

    The attacker only needs to send a single packet to any port on the system
    regardless of whether or not the port is open. This flaw is still
    accessible even if the firewall is set to "stop all traffic" because it
    still continues to process packets.

    The vulnerable code maintains an offset into the IP option bytes, and
    attempts to advance past a variable-length option by adding its length to
    the offset. If the option's length field is zero, then this will result in
    an infinite loop and the machine halts completely. It should be noted that
    since there is not a state requirement for performing this attack, it is
    possible to spoof a TCP, UDP, or ICMP packet. This results in an
    attacker's ability to remain anonymous.

    Vendor Status:
    Kerio have fixed the vulnerability and have provided an updated version
    (4.1.2) available from their site at
    <http://www.kerio.com/kpf_download.html>
    http://www.kerio.com/kpf_download.html

    Disclosure Timeline:
    30-10-2004 Vulnerability reported
    09-11-2004 Release date

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mmaiffret@eeye.com> Marc
    Maiffret of eEye Digital Security.
    The original article can be found at:
    <http://www.kerio.com/security_advisory.html>
    http://www.kerio.com/security_advisory.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Cisco IOS DHCP Blocked Interface DoS"

    Relevant Pages