Advanced IT-Security Advisory #01-10-2002

http://www.ai-sec.dk/

Issue:
======
Multiple Symantec Firewall Secure Webserver timeout DoS

Problemdescription:
===================
There exists a problem in "Simple, secure webserver 1.1" which is shipped with numerous Symantec firewalls, in which an attacker can connect to the proxyserver from the outside, and issue a HTTP-style 
CONNECT to a domain with a missing, or flawed DNS-server. The "Simple, secure webserver 1.1" appears to wait for a timeout contacting the DNS server, and while doing so the software does not fork and 
thereby queues or drops all requests coming from other clients. The timeout usually last up to 300 seconds. Sending subsequent requests for other hostnames in the same flawed domain will force the 
Simple, secure webserver 1.1 to stop processing requests for a long time.

The exploit works regardless if the domainname in question is allowed or not in the ACL.

Versions affected: 
==================
Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300

Workarounds:
============
Apply official patch from Symantec

Solutions:
==========
Apply official patch from Symantec, or disable Simple, secure webserver.

Patch:
======
http://www.symantec.com/techsupp

Vendorstatus:
=============
Symantec was contacted 22. August 2002. Symantec promptly tested and confirmed our findings, and immediately started working on a patch for their customerbase.