From pgrundl@kpmg.dk Thu May 2 15:36:45 2002 From: "[iso-8859-1] Peter Gründl" To: bugtraq Date: Thu, 2 May 2002 13:56:53 +0200 Subject: KPMG-2002017: Snapgear Lite+ Firewall Denial of Service [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: Snapgear Lite+ Firewall Denial of Service BUG-ID: 2002017 Released: 02nd May 2002 -------------------------------------------------------------------- Problem: ======== Several issues with the Snapgear Lite+ Firewall could allow a malicious user to cause a Denial of Service situation, where part of or all of the Firewall would cease to function. Vulnerable: =========== - Snapgear Lite+ V1.5.3 (all issues) - Snapgear Lite+ V1.5.4 (some issues) Not vulnerable: =============== - Snapgear Lite+ V1.6.0 Product Description: ==================== Quoted from the vendors webpage: "The SnapGear LITE+ is an ethernet/broadband VPN router, with one 10/100BaseT WAN port, one 4-port 10/100BaseT switch on the LAN, and one serial port that can have a modem attached for narrowband fallback to dial-out." Details: ======== There are four general areas in which we found problems with the way the Snapgear Firewall handled malicious traffic: HTTP) If external web management had been enabled, creating 50 connections to the web port and cycling through them would result in the firewall crashing. In V1.5.4 this would only result in web management crashing. PPTP) If PPTP had been enabled, creating 50 connections to the PPTP port and cycling through them would result in the firewall crashing. IPSEC) Sending a 0 length UDP packet to UDP port 500 would result in IPSEC exiting. This would result in IPSEC no longer working. This issue was resolved in v1.5.4. IP-OPTIONS) Sending a stream of approx. 7000 packets with malformed IP options through the firewall would result in the firewall crashing. This stream could be sent from the internal network or externally. Vendor URL: =========== You can visit the vendors webpage here: http://www.snapgear.com Vendor response: ================ The vendor was contacted about the first issue on the 14th of February, 2002 and subsequently on the 7th of March, 2002 about the remainding issues. On the 10th of April, 2002 we received a beta version of v1.6.0, which corrected the issues. On the 2nd of May, 2002 we received notification that V1.6.0 had been released. Corrective action: ================== Install firmware version 1.6.0, which is available here: http://www.snapgear.com/downloads.html Authors: Andreas Sandor (asandor@kpmg.dk) & Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------