Security Hole Found in Symantec Firewalls
A flaw discovered in a common component of Symantec's firewall technology leaves a number of that company's products vulnerable to denial of service attacks, according to a bulletin released by the company and by Advanced IT Security AS, a security services firm with headquarters in Copenhagen, Denmark.
The security hole was discovered in the Web proxy component of Symantec's Enterprise Firewall product, also known as "Simple Secure Webserver 1.1."
The vulnerability concerns the way the Web server handles requests for URLs, addresses used to access Web pages and other resources on the Internet.
According to a security advisory posted on Advanced IT Security's Web site, requests from an attacker for registered but unavailable Internet domains cause the Symantec Web server to pause for as long as five minutes waiting for a reply. During that time, the entire firewall ceases to respond to other, legitimate requests, affecting not only Web traffic to the domain that would go through the firewall, but other types of Internet traffic as well, according to Tommy Mikalsen, chief technology officer of Advanced IT.
Symantec issued a bulletin and patch for the affected products on
There appears to be disagreement between Advanced IT and Symantec, however, on the scope of the problem. Symantec's advisory states that only requests related to URLs featuring the domain protected by the Symantec firewall--as opposed to any domain on the Internet--would produce the timeout. Advanced IT claims that URLs featuring any Internet domain will cause the firewall to fail, according to Mikalsen.
To take advantage of the flaw, attackers would need to, for example, turn off DNS services for an existing domain under their control, then issue a flood of requests to the targeted Symantec firewall for that domain, according to Mikalsen.
Because the Web server is a common
component of Symantec's firewall technology, the vulnerability reported by
Advanced IT Security affects a wide range of
Also Monday, Advanced IT released a second advisory concerning what it described as an "information leak" in the Symantec Web server. According to that advisory, differences in the wording of messages returned to outside users by the Web server for valid and invalid host requests could allow an attacker to determine the addresses of hosts behind a Symantec firewall.
In an extreme example, this vulnerability could enable an attacker to scan a company network for Internet Protocol addresses and map the network's topology just by analyzing the messages returned by the Symantec Web server. But, according to Mikalsen, that wouldn't even be necessary.
"As long as you can find one or two hosts within a network, you can infiltrate them and use them for your purposes," Mikalsen says.
That vulnerability affects the Raptor Firewall version 6.5 for Windows NT and version 6.5.3 for Solaris, as well as the Symantec Enterprise Firewall version 6.5.2 for Windows 2000 and NT, according to the advisory from Advanced IT.
Mikalsen, Symantec informed Advanced IT that it has known about the information
leak vulnerability since 2001 and that the problem had been fixed with a
Symantec could not immediately be reached for comment on either vulnerability reported by Advanced IT.