Home page logo

bugtraq logo Bugtraq mailing list archives

Denial of Service against Gauntlet-Firewall / SQL-Gateway
From: Oliver Heinz <heinz () arago de>
Date: 24 Sep 2003 13:17:14 -0000

DOS-Attack against Gauntlet Firewall
We found out a security-issue with the Oracle-Proxy (SQL-Gateway) of Gauntlet Firewall, Version 6 (manufactured by 
Secure Computing/NAI, serversrunning Solaris 8, newest Patches installed). 

Sending subsequent requests with invalid data to the firewalls SQL-gateway results in an immediate crash. The firewall 
won't accept any further connections on any SQL-gw that is defined in the rule base.
Secure Computing as vendor of Gauntlet could reproduce the DOS, patches or bug fixes are not yet available.

We tried to monitor the firewall's sql-gw with our own monitoring-system to make sure that we notice if it does not 
run. Some seconds later, the sql-gw crashed and we were no longer able to connect the port.

Further investigation of the problem showed that the sql-gw-process can easily be crashed on any Gauntlet-Firewall by 
simply connecting to it:

Try the following (_very_ basic)script, use your firewall's IP instead of aaa.bbb.ccc.ddd, running sql-gw at the 
standard port 1521: 

        for a in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
                telnet aaa.bbb.ccc.ddd 1521

You will see that the last try to connect (#17) results in "Connection refused" and the process of "sql-gw" is no 
longer running on the firewall. ==> A DOS against Gauntlet is very easy.

This is especially unpleasant, as Gauntlet is one of the few major firewall-products that provide true application 
level security _and_ do have a dedicated application-proxy for SQL (sql-net 1 + 2). 
In fact, many companies use Gauntlet especially to protect database-servers.

Solution/ Patches:
Secure Computing (www.securecomputing.com), the manufacturer of Gauntlet-Firewall, has been informed by arago about the 
issue in August 2003 and has been able to reproduce the problem. 
Unfortunately, they have not yet managed to bring out a security-patch :-(
The only current solution they give is to use "plug-gws" instead of the "sql-gws", which obviously weakens security 
_and_ performance a lot, as you lose application-level security!   

Regards, Oliver Heinz

 | arago,                   | Oliver Heinz                             |
 | Institut fuer komplexes  | Bereichsleiter Systembetrieb & Security  |
 | Datenmanagement AG       | eMail: heinz () arago de                    |
 | Am Niddatal 3            |                                          |
 | 60488 Frankfurt am Main  | http://www.arago.de/                     |
 |                          | PGP-Fingerprint: a5de d4b4 46b3 4d8b 2646|
 |                          |                  d4d0 e5fd d842 cc4e 7315|

  By Date           By Thread  

Current thread:
  • Denial of Service against Gauntlet-Firewall / SQL-Gateway Oliver Heinz (Sep 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]