Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Symantec Enterprise Firewall (Raptor) Fails to Report Some Alerts via SNMP
|
Date: Feb 25 2002
|
Impact: Modification of system information
|
Exploit Included: Yes
|
Version(s): 6.5.x
|
Description: Corsaire Security reported a vulnerability in the Symantec Enterprise Firewall (formerly known as the Raptor firewall). Log alerts that contain a large amount of information may not be reported via SNMP.
It is reported that the firewall may fail to send some log items via SNMP when it is configured to send alerts via SNMP when the
log entries are larger than a certain threshold (1024-bytes). According to the report, the failure will be noted in the log file
as shown below:
notifyd[0]: 606 failed to notify: transport=SNMP1, priority=Informational
Corsaire reports that this vulnerability
does not appear to be related to the recent SNMP issues discussed in CERT Advisory CA-2002-03.
The vendor has reportedly been
notified.
|
Impact: Some large sized alerts may not be reported via SNMP.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=9674250&EID=0 (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (NT), Windows (2000)
|
Reported By: "Martin O'Neal" <BugTraq@corsaire.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 20 Feb 2002 21:05:35 -0000
From: "Martin O'Neal" <BugTraq@corsaire.com>
Subject: Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SN
|
-- Corsaire Limited Security Advisory --
Title: Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SNMP
Date: 21.01.02
Application: Symantec Enterprise Firewall (SEF) 6.5.x
Environment: WinNT, Win2000
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
-- Scope --
The aim of this document is to clearly define some issues related to
potential data loss from the Notify Daemon within the Symantec
Enterprise Firewall (SEF) environment as provided by Symantec [1].
Note: These issues do NOT appear to be directly related to recent SNMP
issues announced by CERT as advisory CA-2002-03 [2].
-- History --
Vendor notified: 21.01.02
Document released: 21.02.02
-- Overview --
The SEF firewall provides multiple methods of alerting an administrator
to firewall log events; audio, external executables, mail, pager and
SNMP. This functionality is provided by a subsystem known as the Notify
daemon.
When using the SNMP transport method, it is common to send traps back to
a network management station (NMS) where they can be centrally coordinated
and managed.
When the log entries are larger than a certain threshold (1024-bytes)
then the Notify daemon starts to discard alerts.
-- Analysis --
If a notification rule is configured to use SNMPv1 to generate alerts for
all event types that are logged, when the notify daemon begins to drop
alerts, this state is logged within the local firewall audit trail as:
notifyd[0]: 606 failed to notify: transport=SNMP1, priority=Informational
It is worth noting that this alert is not subsequently passed on via SNMP.
If SNMP is used to alert an administrator of potential issues, then there
is the risk that the over sized entries will be lost.
-- Recommendations --
The behaviour of the SNMP Notify daemon should be revised to increase the
size of the log messages accepted, up to the maximum allowed by the SNMP
standard. Additionally, the daemon should also be amended to truncate the
log messages if over size and then transmit the shortened entry rather
than discarding it.
-- References --
[1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID
=47&PID=9674250&EID=0
[2] http://www.cert.org/advisories/CA-2002-03.html
-- Revision --
a. Initial release.
b. Revised detail to include clearer explanation of issue.
c. Revised detail to include clearer explanation of issue.
Copyright 2002 Corsaire Limited. All rights reserved.
-----------------------------------------------------------------------------------------------------
------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
-----------------------------------------------------------------------------------------------------
------------------
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
-----------------------------------------------------------------------------------------------------
------------------
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000 Email:info@corsaire.com
This footnote confirms that this e-mail message has been swept by
MIMEsweeper for the presence of computer viruses.
|
|
Go to the Top of This SecurityTracker Archive Page
|
