Re: Multiple Vendor PC firewall remote denial of services Vulnerability

["Sym Security" <symsecurity () symantec com>]

Ref: Bugtraq message,  Multiple Vendor PC firewall remote denial of
services Vulnerability,
Date:  Oct 8 2002 2:16AM
Author:  Yiming Gong <yiming () security zz ha cn>
Message-ID:  <002701c26e70$a882eba0$f8ff1dda@penetrat>

Overview
In a default installation, some personal firewall software will work
with auto-block function on, and this time if you fake a high level
dangerous attack packet with spoof address target these pc, these
firewall will immediately block the spoofed ip address without any
further judgement. Thus, an intruders might quickly block quite a great
internet address for a victim pc remotely.

Example
I¡¯ve test this on BlackICE and Norton personal firewall

-------------------------snip----------------



October 9, 2002

Symantec Personal Firewall AutoBlock DoS

Risk
Low

Overview

Symantec was notified of a potential denial-of-service (DoS) issue with
Symantec Norton Personal Firewall's AutoBlock feature.  The discoverer,
Yiming Gong, China Netcom, subsequently posted the findings to the BugTraq
mailing list,
http://online.securityfocus.com/archive/1/294411/2002-10-06/2002-10-12/0.
prior to a coordinated response from Symantec.  According to the
discoverer, by directing an attack against a user of a personal firewall
providing a form of auto blocking capability and by spoofing a valid IP
address, an attacker could potentially create a DoS of that address when
the AutoBlock feature blocks access to the IP address for a period of time.
In this manner, a valid IP address, could possibly be temporarily denied to
the user of the personal firewall.

Products/Versions
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003

Symantec Response

Symantec considers the AutoBlock feature of their personal firewall
products to be a valuable part of any Internet security capability.  While
the scenario described in the referenced Bugtraq posting could cause a
minor temporary DoS, a concerted attack of this type would, by its very
nature be of limited scope.  The default timeout for AutoBlock is 30
minutes so even if an IP address were to be blocked in this manner, it
would be for a limited period.

Symantec's AutoBlock feature does provide an exclusion list so that should
a user becomes aware of a spoofed DoS attack of this nature, they could
place the valid IP address in the AutoBlock exclusion list to prevent the
valid site from being blocked automatically.  The attack packets from the
spoofed IP address used in the DoS attempt would still be intercepted by
the firewall, but the intended DoS by the attacker would be thwarted.

However, while Symantec considers a threat of this nature to be very low
risk and highly limited in scope, we are continuously working to increase
the security capability and posture of our products.  Symantec is
researching ways of building additional intelligent decision capability
into our AutoBlock feature.

Credit

Symantec takes the security and proper functionality of our products very
seriously.  Anyone with information on security issues with Symantec
products should contact symsecurity () symantec com.


Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this alert in medium other than
electronically requires permission from symsecurity () symantec com.

Disclaimer
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity
are registered trademarks of Symantec Corp. and/or affiliated companies in
the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective companies/owners.