--------------------------------------------------------------------------- Title: Flood ACK packets cause an IBM SecureWay FireWall DoS. Released: 9th Oct 2002 --------------------------------------------------------------------------- Vulnerable: =========== - SecureWay 4.2.x on AIX Overview: ========= SecureWay is a robust FireWall product developed by IBM who works over AIX an Windows plataform. Is not a full fledged stateful packet filter, but more like a stateful-inspection with connection-centric deterministic-filtering firewall. There exists an stack problem with malformed TCP packets that can lead SecureWay to a DoS condition. To reach this condition a big band width is require. Details: ======== When an all zeroed flags TCP packets is sent to the SecureWay FireWall, this recognize the invalid packet only after a lot of procesing has been done. Because of this, a flood of this forged packeges consumes a lot of resources and can lead the IBM SecureWay FireWall to a deny of services condition. To reach the DoS condition the flood must be over 2.8 Mbps, so this is more a DDoS attack. On servers running SecureWay, the standar AIX fix does not work. Vendor Response: ================ IBM was contacted on July 14, 2002. The vendedor confirm the problem and release a fix. Corrective Action: ================== Update to SecureWay Firewall 4.2.2 version or install APAR IR49046. ftp://testcase.software.ibm.com/aix/fromibm/firewall/fwaixfilter4_421d* Vulnerability Reporting Policy: =============================== http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt Author: Mauro Flores (maflores@antel.com.uy) Guillermo Freire (gfreire@antel.com.uy) --------------------------------------------------------------------------- ANTel is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall ANTel be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. ---------------------------------------------------------------------------
