<<< Date Index >>>     <<< Thread Index >>>

RE: SonicWall VPN/Firewall Appliance - DoS, ARP Flood, Network mapping vulnerability



This is the message I received from SonicWALL when I contacted their owner
Support web site this afternoon (Eastern) about obtaining the ARP Flood
vulnerability patch:

"From VC_MIRVING: I am sorry, but, we are not aware of any patch. If there
was one available it would be on our website and you would be notified by
SonicWALL about it. I am sorry for any miscommunication."

I've asked them to recheck to make sure the information is correct. Has
anyone received (downloaded) the patch?


-----Original Message-----
From: xeno@xxxxxxx [mailto:xeno@xxxxxxx] 
Sent: Tuesday, March 02, 2004 2:04 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SonicWall VPN/Firewall Appliance - DoS, ARP Flood, Network mapping
vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SonicWall Firewall/VPN Appliance

www.sonicwall.com

Product History:

SonicWALL's family of Internet security appliances provide the first
line of defense against Internet security threats. They include an ICSA-
certified, stateful packet inspection firewall, IPSec VPN for remote
access, IP address management features, and support for SonicWALL value-
added security services.


Vulnerability: DoS, ARP Flood, Network mapping

Date of discovery: January 26th, 2004

Reported to SonicWall: January 27th, 2004

Confirmed by SonicWall: February 16th, 2004

Release date: March 1st, 2004

Product: SonicWall Firewall/VPN Appliance

Tested vulnerable Firmware Revisions:

6.5.0.4
6.5.0.3
6.4.0.2
6.4.0.1
6.3.1.4
6.3.1.0
6.2.0.0

Tested but Not vulnerable:

Sonic OS 2.0 and above

Firmware patch:  Available. Customers must call SonicWall tech support
for more details

Technical details:

Problem #1:
When the device encounters an ARP request on its External (WAN) interface
the SonicWall will check its Internal interface (LAN) ARP Cache to see
if knows about the requested IP. Upon finding the requested IP in its
ARP Cache the Sonic Wall will respond with an ARP reply on behalf of
the IP being ARPed.

Problem #2
If the Sonic Wall does not find the IP in its ARP Cache
and the IP being ARPed is part of a network that is attached to the LAN
interface of the Sonic Wall, it will proxy the ARP request from the WAN
interface through to the LAN interface.

Problem #3
For each single ARP request that the Sonic Wall proxies from the WAN
interface it will make 3 ARP broadcast requests on the LAN side, effectively
amplifying each WAN received request at a 3:1 ratio.

Misc information:

The ARP cache of a Sonic Wall running one of the above firmwares has
a 20 minute life time.
This bypasses all rule sets on the firewall.
There is no logging of Successful ARP requests or replies, so this type
of IP enumeration can go unnoticed.
If the SonicWall does not have the requested IP in its ARP cache and
the IP is not alive on the LAN side of the firewall there will be an
entry in the LOG stating that there was an ARP timeout with a source
IP of 0.0.0.0 and a destination IP of the IP requested.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkBEMtIACgkQsJZ5tw66F035IgCcDOMvtzxvzLxVR0vs0b7Cw5g/2EgA
n3GcT46eVdyhpMgjHwSvpmtlUijp
=1RFE
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427