COMMAND

	Multiple Symantec Firewall Secure Webserver timeout DoS

SYSTEMS AFFECTED

	 Raptor Firewall 6.5 (Windows NT)

	 Raptor Firewall V6.5.3 (Solaris)

	 Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)

	 Symantec Enterprise Firewall V7.0 (Solaris)

	 Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)

	 VelociRaptor Model 500/700/1000

	 VelociRaptor Model 1100/1200/1300

	 Symantec Gateway Security 5110/5200/5300

PROBLEM

	In Advanced IT-Security Advisory  [#01-10-2002]  [http://www.ai-sec.dk/]
	:
	

	--snip--
	

	There exists a problem  in  "Simple,  secure  webserver  1.1"  which  is
	shipped with numerous Symantec  firewalls,  in  which  an  attacker  can
	connect to the proxyserver from the  outside,  and  issue  a  HTTP-style
	CONNECT to a domain with a missing, or flawed DNS-server.  The  "Simple,
	secure webserver 1.1" appears to wait for a timeout contacting  the  DNS
	server, and while doing so  the  software  does  not  fork  and  thereby
	queues or drops all requests coming  from  other  clients.  The  timeout
	usually last up to 300 seconds. Sending subsequent  requests  for  other
	hostnames in the same  flawed  domain  will  force  the  Simple,  secure
	webserver 1.1 to stop processing requests for a long time.
	

	The exploit works regardless if the domainname in  question  is  allowed
	or not in the ACL.
	

	--snip--

SOLUTION

	See http://www.symantec.com/techsupp