qcred11
Apr 23 2004, 11:15 PM
| QUOTE |
eEye Digital Security has discovered a severe denial of service vulnerability in the Symantec Client Firewall products for Windows. The vulnerability allows a remote attacker to reliably render a system inoperative with one single packet. Physical access is required in order to bring an affected system out of this "frozen" state. This specific flaw exists within the component that performs low level processing of TCP packets.
Symantec Multiple Firewall TCP Options Denial of Service
Release Date:
April 23, 2004
Date Reported:
March 9, 2004
Severity:
High (Remote Denial of Service)
Vendor:
Symantec
Systems Affected:
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0
Description:
eEye Digital Security has discovered a severe denial of service vulnerability in the Symantec Client Firewall products for Windows. The vulnerability allows a remote attacker to reliably render a system inoperative with one single packet. Physical access is required in order to bring an affected system out of this "frozen" state. This specific flaw exists within the component that performs low level processing of TCP packets.
Technical Description:
The vulnerability exists in SYMNDIS.SYS when trying to parse through the TCP Options in a TCP packet. When an attacker supplies a single TCP packet with a TCP option of either SACK (05) or Alternate Checksum Data (0F) followed by a length of 00, the SYMNDIS.SYS driver enters an infinite loop and causes the operating system to "freeze up" to the point where it can no longer be accessed outside of the system itself nor can any part of the GUI be accessed including keyboard and mouse. The only way to bring the system back online is to hard boot the system which requires physical access of the system. The attacker only needs to send a single packet to any port on the system regardless of whether or not the port is open. This flaw is still accessible even if the firewall or IDS are enabled/disabled. Below is a portion of a TCP SYN packet (total length of 44 bytes) with a bad SACK TCP option.
Sample Packet:
40 00 57 4B 00 00 01 01 05 00
Window Size: 40 00
Checksum: 57 4B
Urgent: 00 00
TCP Options: 01 01 05 00
The vulnerable code maintains an offset into the TCP option bytes, and attempts to advance past a variable-length option by adding its length to the offset. If the option's length field is zero, then this will result in an infinite loop and the machine halts completely.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status:
Symantec has released a patch for this vulnerability. The patch is available via the Symantec LiveUpdate service.
|
tweakz20
Apr 24 2004, 08:25 PM
| QUOTE |
| ...The attacker only needs to send a single packet to any port on the system regardless of whether or not the port is open... |
so simple!
this would of been horrible if it was packed in some sort of virus/worm...
qcred11
Apr 25 2004, 05:39 AM
Yeap, I't really dangerous thing. I'd never used Symantec security product and never will... Too many holes at once - means that they'd never spent enough time to beta test their products and find as more bugs as possible...
shaun2k2
Apr 25 2004, 06:58 AM
| QUOTE |
Yeap, I't really dangerous thing. I'd never used Symantec security product and never will... Too many holes at once - means that they'd never spent enough time to beta test their products and find as more bugs as possible...
|
Nah, I disagree, symantec products are generally very secure. I don't think many bugs have been found in this piece of software. Symantec == securityfocus.
-Shaun.
qcred11
Apr 25 2004, 11:13 PM
I think if somebody discovered couple non-major bugs(another way - non-critical), thats ok. But if the real critical problems was found and a bunch of them at the same time, I'm not sure if i'll ever trust this programs. I know that economy was down and actually is now, and a lot of workers and good programmers lost thier jobs, it means less people doing testing than used to be...
by the way it's not the first time some major bugs was discovered in Symantec product.
tweakz20
Apr 26 2004, 12:51 AM
hey, everyone makes mistakes... Microsoft is pathetic with it's quantity of bugs, probably 50 in just one product, but symantec is pretty good... and they auto patch everything (liveupdate) right? so they're not too bad
qcred11
Apr 26 2004, 03:47 AM
| QUOTE |
hey, everyone makes mistakes...
|
I absolutely agree with you.
Everyone does. Yeah, but in this case you can not compare M$(which is full of bugs
) and Symantec. BTW symantec are patching their products much faster than MS.
Ok, I was maybe a little too strict about Symantec. Definitely it isn't so bad.(talking about Symantec)
shaun2k2
Apr 26 2004, 11:33 AM
Well, Microsoft products might have a few bugs, but they still disclose and document the bugs, and fix them when appropriate. Every product has bugs, undoubtedly
-Shaun.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
