F-Secure Internet Gatekeeper Content Scanning Server Denial of Service [iDEFENSE]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: F-Secure Internet Gatekeeper Content Scanning Server Denial of Service [iDEFENSE]
From: "Jérôme" ATHIAS <jerome.athias@xxxxxxxxxxxx>
Date: 10 Sep 2004 04:27:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


F-Secure Internet Gatekeeper Content Scanning Server Denial of Service
Vulnerability

iDEFENSE Security Advisory 09.09.04
www.idefense.com/application/poi/display?id=137&type=vulnerabilities
September 9, 2004

I. BACKGROUND

F-Secure Internet Gatekeeper is an antivirus and content filtering
solution for protecting SMTP and HTTP traffic at the Internet gateway.

Additional information is available at:

  http://www.f-secure.com/products/anti-virus/fsigk/

II. DESCRIPTION

Remote exploitation of an input validation error in F-Secure's Internet
Gatekeeper could allow attackers to trigger a denial of service against
the Content Scanner Server.

F-Secure Internet Gatekeeper is an automated antivirus, content
filtering and access control solution for e-mail and Web traffic at the
Internet Gateway. The problem specifically exists in the handling of
malformed packets received by the Content Scanner on port 18,971. A
denial of service condition is triggered during the parsing of the
packet, causing the application to fail with an access violation error.
The vulnerability does not appear to be further exploitable.

III. ANALYSIS

Successful exploitation allows remote attackers to crash the service.
Once the server has crashed, depending on configuration options, a
dialog box may appear on the desktop indicating that the FSAVSD.EXE
process has crashed. Once this has been cleared, or if there is no
dialog box, the server will automatically restart after approximately 30
to 40 seconds. During this time, the server will not respond to any
requests made of it. It is possible to cause the server to fail
repeatedly by sending packets at short intervals.

IV. DETECTION

iDEFENSE has confirmed that F-Secure Internet Gatekeeper Server 6.31
build 33 is vulnerable.

The vendor has reported that the following versions are vulnerable:

  - F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier
  - F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier 
  - F-Secure Internet Gatekeeper 6.32 and earlier 


V. WORKAROUND

Vendor supplied workaround:

The product can be configured so that only allowed connections are
accepted by the F-Secure Content Scanner Server.

- Configure CSS to accept connections only from known IP addresses:

* In F-Secure Policy Manager Console, go to F-Secure Content Scanner
Server>Settings>Interface and in the "Accept Connections"
setting
specify the comma-separated list of IP addresses the server will accept
requests from.

* In the local user interface, a similar setting can be found on the
Interface tab page under the Server/Interface category.

VI. VENDOR RESPONSE

"We have confirmed the problem with CSS 6.31 which is included in
both
F-Secure Anti-Virus for Microsoft Exchange 6.01 and 6.21 and also in
F-Secure Internet Gatekeeper 6.32. The problem exists also in the older
version, CSS 6.30 which was included in F-Secure Anti-Virus for
Microsoft Exchange 6.20 and F-Secure Internet Gatekeeper 6.30/6.31.
However, the latest released version of the products: F-Secure
Anti-virus for Microsoft Exchange 6.30 and F-Secure Internet Gatekeeper
6.40 which include F-Secure Content Scanner Server 6.40, are not
affected by this anymore.

The reason for the problem was incorrect exception handling. In the new
version of the product the situation [is] fixed with new design and
added validity checks.

We do not consider this a major issue because the products are installed
in the company internal network or at least in DMZ so the port should
not be exposed to the public Internet."

A hotfix is available from:

   http://www.f-secure.com/security/fsc-2004-2.shtml


VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the

names CAN-2004-0830 to these issues. This is a candidate for inclusion

in the CVE list (http://cve.mitre.org),
which standardizes names for 
security problems.

VIII. DISCLOSURE TIMELINE

08/25/2004  Initial vendor notification
08/25/2004  iDEFENSE clients notified
08/25/2004  Initial vendor response
09/09/2004  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice*idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: Remote buffer overflow in Apache mod_ssl when reverse proxying SSL
Next by Date: problem in voip environment
Previous by thread: Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service
Next by thread: problem in voip environment
Index(es):
- Date
- Thread