Ref: Bugtraq message, Multiple Vendor PC firewall remote denial of services Vulnerability, Date: Oct 8 2002 2:16AM Author: Yiming Gong <yiming@security.zz.ha.cn> Message-ID: <002701c26e70$a882eba0$f8ff1dda@penetrat> Overview In a default installation, some personal firewall software will work with auto-block function on, and this time if you fake a high level dangerous attack packet with spoof address target these pc, these firewall will immediately block the spoofed ip address without any further judgement. Thus, an intruders might quickly block quite a great internet address for a victim pc remotely. Example I¡¯ve test this on BlackICE and Norton personal firewall -------------------------snip---------------- October 9, 2002 Symantec Personal Firewall AutoBlock DoS Risk Low Overview Symantec was notified of a potential denial-of-service (DoS) issue with Symantec Norton Personal Firewall's AutoBlock feature. The discoverer, Yiming Gong, China Netcom, subsequently posted the findings to the BugTraq mailing list, http://online.securityfocus.com/archive/1/294411/2002-10-06/2002-10-12/0. prior to a coordinated response from Symantec. According to the discoverer, by directing an attack against a user of a personal firewall providing a form of auto blocking capability and by spoofing a valid IP address, an attacker could potentially create a DoS of that address when the AutoBlock feature blocks access to the IP address for a period of time. In this manner, a valid IP address, could possibly be temporarily denied to the user of the personal firewall. Products/Versions Symantec Norton Personal Firewall 2002 Symantec Norton Personal Firewall 2003 Symantec Norton Internet Security 2002 Symantec Norton Internet Security 2003 Symantec Response Symantec considers the AutoBlock feature of their personal firewall products to be a valuable part of any Internet security capability. While the scenario described in the referenced Bugtraq posting could cause a minor temporary DoS, a concerted attack of this type would, by its very nature be of limited scope. The default timeout for AutoBlock is 30 minutes so even if an IP address were to be blocked in this manner, it would be for a limited period. Symantec's AutoBlock feature does provide an exclusion list so that should a user becomes aware of a spoofed DoS attack of this nature, they could place the valid IP address in the AutoBlock exclusion list to prevent the valid site from being blocked automatically. The attack packets from the spoofed IP address used in the DoS attempt would still be intercepted by the firewall, but the intended DoS by the attacker would be thwarted. However, while Symantec considers a threat of this nature to be very low risk and highly limited in scope, we are continuously working to increase the security capability and posture of our products. Symantec is researching ways of building additional intelligent decision capability into our AutoBlock feature. Credit Symantec takes the security and proper functionality of our products very seriously. Anyone with information on security issues with Symantec products should contact symsecurity@symantec.com. Copyright (c) 2002 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in medium other than electronically requires permission from symsecurity@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
