Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products
Rigel Kent Security & Advisory Services Inc
http://www.rigelksecurity.com
Advisory # RK-001-04
Mike Sues
September 22, 2004
"Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security
Products"
Platform : Symantec Enterprise Firewall/VPN Appliances
100, 200, 200R
Symantec Gateway Security 320
Symantec Gateway Security 320, 360, 360R
Version : 100, 200, 200R
Prior to firmware build 1.63
320, 360, 360R
Prior to build 622
Configuration : Default
Abstract:
========
Three high-risk vulnerabilities have been identified in the Symantec
Enterprise Firewall products and two in the Gateway products. All are
remotely exploitable and allow an attacker to perform a denial of service
attack against the firewall, identify active services in the WAN interface
and exploit one of these services to collect and alter the firewall or
gateway's configuration.
Vulnerabilities:
===============
Issue RK-001-04-01:
Denial of service caused by a fast UDP port scan
Severity:
High
Description:
A fast map UDP port scan against all ports (i.e. 1-65535) on the WAN
interface of the firewall will cause the firewall to lock up and
stop
responding. Turning the power off and on will reset the firewall.
The Gateway Security products are not affected by this issue.
Countermeasure:
Install firmware build 1.63
Issue RK-001-04-02:
Filter bypass on WAN interface
Severity:
High
Description:
A UDP port scan against the WAN interface of the firewall from a
source
port of UDP 53 bypasses filter on WAN interface and exposes the
following
active services,
tftpd
snmpd
isakmp
All other ports are reported as closed.
Countermeasure:
100, 200, 200R
Install firmware build 1.63
320, 360, 360R
Install firmware build 622
Issue RK-001-04-03:
Default read/write community string on SNMP service
Severity:
High
Description:
The default read/write community string used by the firewall is
public,
allowing an attacker to collect and alter the firewall's
configuration.
By combining this with RK-001-04-02, an attacker is able to exploit
this
against the WAN interface by sending SNMP GET/SET requests whose
source
port is UDP 53.
Moreover, the administrative interface for the firewall does not
allow the
operator to disable the service nor change the community strings.
Countermeasure:
100, 200, 200R
Install firmware build 1.63
320, 360, 360R
Install firmware build 622
Credits:
=======
Rigel Kent Security & Advisory Services would like to thank Symantec for
their prompt response and action.