IBM SecureWay Firewall Can Be Hung By Remote Users Sending a Flood of Malformed TCP Packets
|
|
SecurityTracker Alert ID: 1005330 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 2 2002
|
Impact: Denial of service via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.2.x, prior to 4.2.2
|
Description: A vulnerability was reported in IBM's SecureWay Firewall. A remote user can cause the firewall to hang.
SecuriTeam reported that a remote user can send a flood of malformed TCP packets with the TCP flags set to zero to cause the firewall
to consume all available CPU resources. This can cause the firewall to stop responding to requests.
SecuriTeam credits Mauro
Flores with reporting the flaw.
|
Impact: A remote user can cause the firewall to hang.
|
Solution: The vendor has released a fixed version (4.2.2) and has also released an APAR (IR49046) with 'fwaixfilter4_421d.tar'. More information
is available at:
http://www-1.ibm.com/support/docview.wss?rs=0&q=IR49046&uid=swg185256b4f006cca2486256c31007feaca
|
Vendor URL: www-1.ibm.com/support/docview.wss?rs=0&q=IR49046&uid=swg185256b4f006cca2486256c31007feaca (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: UNIX (AIX)
|
Reported By: support@securiteam.com
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 1 Oct 2002 14:28:55 -0500
From: support@securiteam.com
Subject: [UNIX] Flood ACK Packets Cause an IBM SecureWay Firewall to Hang
|
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Flood ACK Packets Cause an IBM SecureWay Firewall to Hang
------------------------------------------------------------------------
SUMMARY
SecureWay is a robust Firewall product developed by IBM that works under
the AIX and Windows platform. It is not a full-fledged stateful packet
filter, but more like a stateful-inspection with connection-centric
deterministic-filtering firewall.
A security problem in the Firewall has been identified. Whenever a flood
of malformed TCP packets reaches the SecureWay Firewall, it will be no
longer able to respond to legitimate requests (due to high CPU resources
consumption). Due to the nature of this attack, a large portion of
bandwidth is required.
DETAILS
Vulnerable systems:
* SecureWay 4.2.x on AIX
When an all zeroed flags TCP packet is sent to the SecureWay Firewall, the
firewall will take a large amount of processing time for it to determine
that the packet is in fact invalid. Because of this, a flood of such
forged packets will consume a large amount resources leading to a denial
of service attack.
Vendor Response:
IBM was contacted on July 14, 2002. The vendor confirmed the problem and
released a fix.
Corrective Action:
Update to SecureWay Firewall 4.2.2 version or install APAR
<http://www-1.ibm.com/support/docview.wss?rs=0&q=IR49046&uid=swg185256b4f006cca2486256c310
07feaca> IR49046.
ADDITIONAL INFORMATION
The information has been provided by <mailto:maflores@antel.com.uy> Mauro
Flores.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
profits or special damages.
|
|
