October 13, 2002 Symantec Firewall Secure Webserver timeout DoS Risk Medium Overview Advanced IT-Security, a Scandinavian security consultancy, notified Symantec of a denial-of-service (D0S) issue they had discovered with the web proxy component in the Symantec Enterprise Firewall. A malicious user who is able to establish a remote connection to the proxy server could, by requesting multiple connections to a non-existent or erroneous internal URL, cause the proxy server to timeout for an extended period of time. While timed out, the server fails to process any subsequent connection requests. Products/Versions Raptor Firewall 6.5 (Windows NT) Raptor Firewall V6.5.3 (Solaris) Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT) Symantec Enterprise Firewall V7.0 (Solaris) Symantec Enterprise Firewall 7.0 (Windows 2000 and NT) VelociRaptor Model 500/700/1000 VelociRaptor Model 1100/1200/1300 Symantec Gateway Security 5110/5200/5300 Symantec Response Symantec tested and verified the problem discovered by Advanced IT-Security. This issue has been addressed in the security hotfix bundle currently available for download through the Symantec Enterprise Support site http://www.symantec.com/techsupp. As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure. Credit Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the assistance of Tommy Mikalsen from Advanced IT-Security in identifying this area of concern so we could quickly address it. Anyone with information on security issues with Symantec products should contact symsecurity@symantec.com. The Sym Security PGP key can be downloaded from http://securityresponse.symantec.com/avcenter/security/publickey/SymSecurity.asc . This advisory is available at http://securityresponse.symantec.com/avcenter/security/Content/2002.10.11.html CVE The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0990 to the SEF HTTP_CONNECT Secure Webserver DoS. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Copyright (c) 2002 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in medium other than electronically requires permission from symsecurity@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. --------------------------------------------------------------------------------------------------------------- AI-SEC Security Advisories <advisories@ai-sec.dk> 10/14/2002 02:06 PM Please respond to advisories Advanced IT-Security Advisory #01-10-2002 http://www.ai-sec.dk/ Issue: ====== Multiple Symantec Firewall Secure Webserver timeout DoS Problemdescription: =================== There exists a problem in "Simple, secure webserver 1.1" which is shipped with numerous Symantec firewalls, in which an attacker can connect to the proxyserver from the outside, and issue a HTTP-style CONNECT to a domain with a missing, or flawed DNS-server. The "Simple, secure webserver 1.1" appears to wait for a timeout contacting the DNS server, and while doing so the software does not fork and thereby queues or drops all requests coming from other clients. The timeout usually last up to 300 seconds. Sending subsequent requests for other hostnames in the same flawed domain will force the Simple, secure webserver 1.1 to stop processing requests for a long time. The exploit works regardless if the domainname in question is allowed or not in the ACL. -----------------------------snip-------------------------
