Webwasher Denial of Service Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Webwasher Denial of Service Vulnerability
From: security@xxxxxxxxxxxxxxxxxxx
Date: 3 Apr 2008 08:30:34 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Credit: The disclosure of this issue has been credited to National Australia 
Bank Security
Assurance. 

Vulnerable: 
Secure Computing Webwasher  6.6.3 build 3102 and older versions running on 
CGLinux 4/5, RHEL 4, Debian 4, SLES10

Not vulnerable: 
Secure Computing Webwasher Builds 3150 and newer (all platforms)

Webwasher (all versions) for Windows
Webwasher (all versions) for Solaris
Webwasher (all versions) for some Linux (RHEL 3, SLES8, SLES9, Debian 3)
Webwasher 5.3 appliances (running CGLinux 3.x)

DISCUSSION

Due to a change in the behavior of newer Linux systems, we have become aware 
that a Denial of Service attack can be launched against Webwasher running on 
Linux based operating systems which will freeze the Webwasher service.  If this 
happens, Webwasher becomes unable to handle any request until the Webwasher 
service is restarted.

The attack can be initiated by an internal user sending a specially crafted URL 
to Webwasher. It could also be exploited by an external attacker by redirecting 
proxy users to the exploit URL. 


Who is affected?
Users of all Webwasher appliances version 6.x (CGLinux 4 or 5):
?If not running current version of Webwasher software but build numbers prior 
to 3150
Users of Webwasher software versions
?If running on RedHat Enterprise Linux 4, Debian Linux 4 or Linux Suse Linue 10
?And if not running current version of Webwasher software but build numbers 
prior to 3150

Who is not affected?
?All Webwasher installations on current versions ? build numbers 3150 or newer 
?Webwasher Software customers on Windows, Solaris, Linux RedHat Enterprise 3, 
Linux Suse 8 and 9, Debian 3.1 and Webwasher appliances running with CGLinux 
3.x are not affected.   

EXPLOIT
A special handcrafted URL has to be sent to Webwasher on the affected Linux 
systems which will then freeze the application.
National Australia Bank Security Assurance has provided an undisclosed proof of 
concept.


SOLUTION

The vendor has released Webwasher versions to address this:
?Webwasher 6.6.3 build 3150
?Webwasher 5.3.0 build 3159
Both are available at: https://extranet.webwasher.com/download/csm/index.html
Webwasher appliances can be upgraded automatically via the GUI

Prev by Date: [ GLSA 200804-02 ] bzip2: Denial of Service
Next by Date: [USN-598-1] CUPS vulnerabilities
Previous by thread: [ GLSA 200804-02 ] bzip2: Denial of Service
Next by thread: [USN-598-1] CUPS vulnerabilities
Index(es):
- Date
- Thread