Home page logo

bugtraq logo Bugtraq mailing list archives

Multiple Symantec Firewall Secure Webserver timeout DoS
From: AI-SEC Security Advisories <advisories () ai-sec dk>
Date: Mon, 14 Oct 2002 12:06:48 -0700

Advanced IT-Security Advisory #01-10-2002


Multiple Symantec Firewall Secure Webserver timeout DoS

There exists a problem in "Simple, secure webserver 1.1" which is shipped with numerous Symantec firewalls, in which an 
attacker can connect to the proxyserver from the outside, and issue a HTTP-style 
CONNECT to a domain with a missing, or flawed DNS-server. The "Simple, secure webserver 1.1" appears to wait for a 
timeout contacting the DNS server, and while doing so the software does not fork and 
thereby queues or drops all requests coming from other clients. The timeout usually last up to 300 seconds. Sending 
subsequent requests for other hostnames in the same flawed domain will force the 
Simple, secure webserver 1.1 to stop processing requests for a long time.

The exploit works regardless if the domainname in question is allowed or not in the ACL.

Versions affected: 
Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300

Apply official patch from Symantec

Apply official patch from Symantec, or disable Simple, secure webserver.


Symantec was contacted 22. August 2002. Symantec promptly tested and confirmed our findings, and immediately started 
working on a patch for their customerbase. 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]