Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Symantec Enterprise Firewall Lets Remote Users Deny Service or Modify the Configuration
|
|
SecurityTracker Alert ID: 1011389
|
|
SecurityTracker URL: http://securitytracker.com/id?1011389
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 22 2004
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): Model 100, 200, 200R; prior to firmware build 1.63
|
Description: Several vulnerabilities were reported in the Symantec Enterprise Firewall. A remote user can cause denial of service conditions
on the target device. A remote user can determine the services active on the target device. A remote user can also determine and
modify the device configuration settings. Symantec Gateway Security is also affected by some of the vulnerabilities.
Mike Sues of Rigel Kent Security reported that a remote user can conduct a fast UDP prot scan against all ports on the WAN interface
of the target device to cause the device to stop responding. A power reset is required to return the system to normal operations.
A
remote user can conduct a UDP port scan with a source port of UDP 53 against the WAN interface of the target device to determine
the services that are active on the device, such as tftpd, snmpd, and isakmp.
It is also reported that the device uses a standard
default SNMP community string. A remote user can use a source port of UDP 53 to connect to the SNMP port on the target device and
issue GET and SET requests to view and modify the firewall's configuration. It is not possible for the administrator to disable
the SNMP service or change the SNMP community string.
|
Impact: A remote user can cause the device to stop functioning, requiring a power reset to return to normal operations.
A remote user
can determine the services active on the target device.
A remote user can also determine and modify the device configuration
settings.
|
Solution: The vendor has released a fixed firmware version (1.63).
|
Vendor URL: www..symantec.com/ (Links to External Site)
|
Cause: Access control error, Authentication error, State error
|
Reported By: msues@rigelksecurity.com
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 22 Sep 2004 14:50:12 -0400
From: "Mike Sues" <msues@rigelksecurity.com>
Subject: Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products
|
Rigel Kent Security & Advisory Services Inc
http://www.rigelksecurity.com
Advisory # RK-001-04
Mike Sues
September 22, 2004
"Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security
Products"
Platform : Symantec Enterprise Firewall/VPN Appliances
100, 200, 200R
Symantec Gateway Security 320
Symantec Gateway Security 320, 360, 360R
Version : 100, 200, 200R
Prior to firmware build 1.63
320, 360, 360R
Prior to build 622
Configuration : Default
Abstract:
========
Three high-risk vulnerabilities have been identified in the Symantec
Enterprise Firewall products and two in the Gateway products. All are
remotely exploitable and allow an attacker to perform a denial of service
attack against the firewall, identify active services in the WAN interface
and exploit one of these services to collect and alter the firewall or
gateway's configuration.
Vulnerabilities:
===============
Issue RK-001-04-01:
Denial of service caused by a fast UDP port scan
Severity:
High
Description:
A fast map UDP port scan against all ports (i.e. 1-65535) on the WAN
interface of the firewall will cause the firewall to lock up and
stop
responding. Turning the power off and on will reset the firewall.
The Gateway Security products are not affected by this issue.
Countermeasure:
Install firmware build 1.63
Issue RK-001-04-02:
Filter bypass on WAN interface
Severity:
High
Description:
A UDP port scan against the WAN interface of the firewall from a
source
port of UDP 53 bypasses filter on WAN interface and exposes the
following
active services,
tftpd
snmpd
isakmp
All other ports are reported as closed.
Countermeasure:
100, 200, 200R
Install firmware build 1.63
320, 360, 360R
Install firmware build 622
Issue RK-001-04-03:
Default read/write community string on SNMP service
Severity:
High
Description:
The default read/write community string used by the firewall is
public,
allowing an attacker to collect and alter the firewall's
configuration.
By combining this with RK-001-04-02, an attacker is able to exploit
this
against the WAN interface by sending SNMP GET/SET requests whose
source
port is UDP 53.
Moreover, the administrative interface for the firewall does not
allow the
operator to disable the service nor change the community strings.
Countermeasure:
100, 200, 200R
Install firmware build 1.63
320, 360, 360R
Install firmware build 622
Credits:
=======
Rigel Kent Security & Advisory Services would like to thank Symantec for
their prompt response and action.
|
|
Go to the Top of This SecurityTracker Archive Page
|
