“No one has contacted us from a customer or testing point of view.”
Advanced IT-Security contacted Symantec on August 22 to inform the firewall and security software maker that a flaw in the web proxy component of eight of its products could potentially cause a denial of service attack.
A statement by Symantec on October 13 notes “a malicious user who is able to establish a remote connection to the proxy server could, by requesting multiple connections to a non-existent or erroneous internal URL, cause the proxy server to time out for an extended period.
“While timed out, the server fails to process any subsequent connection requests.”
A patch is available from Symantec’s enterprise website and the full list of potentially vulnerable Symantec products is: Raptor Firewall 6.5 (Windows NT), Raptor Firewall v6.5.3 (Solaris), Symentec Enterprise Firewalls 6.5.2 (Windows 2000 and NT), V7.0 (Solaris) and 7.0 (Windows 2000 and NT), VelociRaptors 500/700/1000 and 1100/1200/1300 and the Symantec Gateway Security 5110/5200/5300.
Advanced IT-Security technology chief Tommy Mikalson says the vulnerability “means legitimate and secure connections are being dropped from the firewall”.
Advanced IT-Security contacted Symantec on August 27 regarding a second potential vulnerability, this time in the web proxy component in three of the above products, the Raptor Firewall 6.5 (Windows NT), V6.5.3 (Solaris) and the Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT).
According to Advanced IT-Security, the vulnerability was that an attacker could connect to the proxy server from outside and issue a Connect to IP address on the inside interface, to see if any hosts were there, by looking at the messages returned.
In Symantec’s words, “a remote user connecting to the proxy server can actually perform limited reconnaissance activity against the internal network behind the firewall, even though access is restricted by the firewall.
“A limited mapping of the internal network” would be possible if an attacker accessed unpatched product in that manner.
Symantec says the problem was addressed in a patch issued before Advanced IT-Security raised the issue and an Advanced IT-Security advisory says “the Symantec enterprise firewall is not vulnerable to this concern if patched fully up-to-date”.
However, Advanced IT-Security’s Mikalson says “it has been possible for attackers to map out the internals of a network from the internet.
“This may or may not be very serious, but the fact Symantec has not patched this issue until recently is very intriguing.”
He says “most customers should have been contacted personally by Symantec, because of the severity of these issues”.