Re: Multiple Symantec Firewall Secure Webserver timeout DoS

From: Sym Security (
Date: 10/15/02

From: "Sym Security" <>
Date: Tue, 15 Oct 2002 09:27:47 -0500

October 13, 2002
Symantec Firewall Secure Webserver timeout DoS


Advanced IT-Security, a Scandinavian security consultancy, notified
Symantec of a denial-of-service (D0S) issue they had discovered with the
web proxy component in the Symantec Enterprise Firewall. A malicious user
who is able to establish a remote connection to the proxy server could, by
requesting multiple connections to a non-existent or erroneous internal
URL, cause the proxy server to timeout for an extended period of time.
While timed out, the server fails to process any subsequent connection

Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300

Symantec Response
Symantec tested and verified the problem discovered by Advanced
IT-Security. This issue has been addressed in the security hotfix bundle
currently available for download through the Symantec Enterprise Support

As a best practice, Symantec recommends keeping all operating systems and
applications updated with the latest vendor patches. Keeping
mission-critical systems updated with all security patches applied reduces
risk exposure.

Symantec takes the security and proper functionality of our products very
seriously. Symantec appreciates the assistance of Tommy Mikalsen from
Advanced IT-Security in identifying this area of concern so we could
quickly address it. Anyone with information on security issues with
Symantec products should contact The Sym Security
PGP key can be downloaded from

This advisory is available at

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the
name CAN-2002-0990 to the SEF HTTP_CONNECT Secure Webserver DoS.

This is a candidate for inclusion in the CVE list (,
which standardizes names for security problems.

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this alert in medium other than
electronically requires permission from
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity
are registered trademarks of Symantec Corp. and/or affiliated companies in
the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective companies/owners.


AI-SEC Security Advisories <>

10/14/2002 02:06 PM
Please respond to advisories

Advanced IT-Security Advisory #01-10-2002

Multiple Symantec Firewall Secure Webserver timeout DoS

There exists a problem in "Simple, secure webserver 1.1" which is shipped
with numerous Symantec firewalls, in which an attacker can connect to the
proxyserver from the outside, and issue a HTTP-style
CONNECT to a domain with a missing, or flawed DNS-server. The "Simple,
secure webserver 1.1" appears to wait for a timeout contacting the DNS
server, and while doing so the software does not fork and
thereby queues or drops all requests coming from other clients. The timeout
usually last up to 300 seconds. Sending subsequent requests for other
hostnames in the same flawed domain will force the
Simple, secure webserver 1.1 to stop processing requests for a long time.

The exploit works regardless if the domainname in question is allowed or
not in the ACL.