WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
3 July, 2002
Symantec Enterprise Firewall out-of-band authentication (OOBA) denial of service hardening

Low (Only customers that are currently using OOBA could be affected.)

Symantec Enterprise Firewall uses a stripped-down version of the Apache HTTP Web Server as an integral part of the Out-of-Band Authentication (OOBA) mechanism. On June 17, 2002, CERT reported a remotely exploitable vulnerability in the way that Apache Web servers (or other Web servers based on Apache source code) handle data encoded in chunks. While investigating the impact of this issue, Symantec engineers discovered that, if enabled, the Symantec Enterprise Firewall OOBA service could be susceptible to a denial of service (DoS) attack.

OOBA uses an Apache HTTP Web Server to facilitate user authentication to the firewall. If the Apache Web server on the firewall is attacked with a chunk-encoding buffer overflow attack, the HTTP server will abort. As a result, the firewall will restart the service. Because restarting the service consumes system resources, a continuous attack on the service will put unnecessary stress on the firewall that could affect system availability to legitimate users. The impact of such an attack would result only in a DoS.

Components Affected
Raptor Firewall V6.5.3 (Solaris)
Raptor Firewall 6.5 (Windows NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor 1.0, 1.1, and 1.5
Symantec Gateway Security 1.0

OOBA allows security administrators to define user-based policies for protocols that do not inherently support authentication. For example, using OOBA you can create a rule that allows inbound ICMP (Ping) connections for the security administrator. To enable the connection, the administrator connects to a hardened Apache server running on the firewall and authenticates to the firewall using a Web browser. Once authenticated, the firewall allows connection requests associated with that user session.

The Apache HTTP Web Server used by the firewall OOBA service can be susceptible to a denial of service attack using the recently discovered chunk-encoding stack overflow. For a more detailed description of this issue please read the following Symantec Security Response Advisory or CERT Advisory CA-2002-17.

Symantec Response
By default, OOBA is disabled out-of-the-box on all firewall installations and the Apache HTTP Web Server is not started. If your security policy does not require user-authentication for protocols that do not inherently support in-band authentication, do not enable OOBA. No further action is necessary.

If, however, you enable the OOBA service for out-of-band authentication, the Apache HTTP Web Server will be running on the firewall. If this is the case, Symantec recommends that you install the latest OOBA security hotfix that is available through the Symantec Enterprise Support site.

Symantec takes any product issue seriously. If you require the OOBA service as a part of the functionality of your network, ensure that you install the recommended hotfix.

As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0392 to the Apache Chunk-Encoded HTTP request Buffer Overflow.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

PDF Symantec Vulnerability Response Policy PGP Symantec Product Vulnerability Management PGP Key

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Last modified on: Monday, 25-Oct-04 14:55:34