In-Reply-To: <20030902145734.2258.qmail@sf-www3-symnsj.securityfocus.com> ZONE LABS SECURITY ADVISORY DENIAL OF SERVICE REPORT OVERVIEW Zone Labs has found no evidence that, under real-world conditions, its products are vulnerable to the Denial of Service attack described by HackologyTeam@yahoo.com at the BugTraq site and mailing list. There is also no evidence that Zone Labs products are vulnerable to the similar attack described by sprog@online.ru in the follow-up post to BugTraq. Date Published: September 3, 2003 EFFECT ON ZONE LABS USERS Little or none. ZONE LABS PRODUCTS Zone Labs tests do not show that computers employing Zone Labs Integrity?, ZoneAlarm® Pro, ZoneAlarm Plus, and ZoneAlarm security products are vulnerable to this attack in real-world situations. DESCRIPTION This Denial of Service (DoS) attempt sends a barrage of UDP packets to a PC protected with ZoneAlarm 3.7 or ZoneAlarm Pro 4.0. The vulnerability reporter claims that this packet flood causes the target PC to hang. Zone Labs' testing did NOT show this under real-world conditions (described below). In the vulnerability report, the attacker included the Perl script to launch the attack. Other important information, such as type of PC and connection speed, was not specified. IMPACT Because the initial report lacked important information, Zone Labs tested the Perl script on multiple PCs with a variety of network speeds. We were unable to replicate the results the testers claim. We noted the following results: 1) While we have seen a somewhat higher CPU usage and related slow-down on the target machine, we have not seen anything resembling a DoS attack. The largest slowdown occurred on a direct computer-to-computer 100-MBit network. Even in that setup, we never observed a complete freeze under any conditions. (Nor were other methods of UDP flooding effective.) For a real-world DoS attack to succeed, it would need to be effective at much slower connection speeds more typical for Internet connections (for example, 1.5-MBit for a T1 or DSL connection). 2) Zone Labs Integrity, ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro were not disabled as a result of the attacks, and the security of the test machines was never compromised by the attempted DoS attack. Once the attempted attacks stopped, the CPU usage went down to normal levels immediately. RECOMMENDED ACTIONS Install any Zone Labs product to protect against UDP-flood attacks. Zone Labs' tests did not show a Denial of Service result. We will be addressing the relatively minor performance issues in upcoming releases. Note that in the typical definition of a Denial of Service attack, the target is a server PC (whose service is thus denied). ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro are not designed to protect server platforms. The following supported platform list applies to Zone Labs products: http://www.zonelabs.com/store/content/support/znalmGeneralFAQ.jsp#9general RELATED RESOURCES BugTraq posting: http://www.securityfocus.com/archive/1/335830/2003-08- 30/2003-09-05/0 CREDITS This report first appeared on the BugTraq vulnerability list. Zone Labs adheres to the vulnerability disclosure guidelines found at http://www.wiretrip.net/rfp/policy.html. These guidelines specify informing a vendor before public disclosure of a possible vulnerability, so a security fix may be created to protect users before malicious software takes advantage of the exploit. We encourage all vulnerability reporters to follow the same procedure. To report a vulnerability, please send an email to security@zonelabs.com. CONTACT Zone Labs customers who are concerned about this issue or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp. COPYRIGHT (c) 2003 by Zone Labs Incorporated Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs. > > > ># Overview : ># ># ZoneAlarm is a firewall software ># package designed for Microsoft Windows ># operating systems that blocks intrusion ># attempts, trusted by millions, and has ># advanced privacy features like worms, ># Trojan horses, and spyware protection. ># ZoneAlarm is distributed and maintained ># by Zone Labs.http://www.zonelabs.com ># ># Details : ># ># ZoneAlarm was found vulnerable to a ># serious vulnerability leading to a ># remote Denial Of Service condition due ># to failure to handle udp random ># packets, if an attacker sends multiple ># udp packets to multiple ports 0-65000, ># the machine will hang up until the ># attacker stop flooding.
